Loading ...

Play interactive tourEdit tour

Windows Analysis Report ZAM#U00d3WIENIE.exe

Overview

General Information

Sample Name:ZAM#U00d3WIENIE.exe
Analysis ID:1634
MD5:328b34adced9ad8128d4079bcffde016
SHA1:fa03cb6529d634b2e30d042491c0c13e39fd445e
SHA256:95f59bb24f6c23995b22e40d5ba6785f9072da815451c04f61ee42f42a63089e
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: RegAsm connects to smtp port
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • ZAM#U00d3WIENIE.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe' MD5: 328B34ADCED9AD8128D4079BCFFDE016)
    • RegAsm.exe (PID: 8132 cmdline: 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7904 cmdline: 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comnappiboioffice203@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: RegAsm.exe PID: 7904JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: RegAsm.exe PID: 7904JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Overview

          Networking:

          barindex
          Sigma detected: RegAsm connects to smtp portShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 188.93.227.195, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7904, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49801

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: RegAsm.exe.7904.10.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comnappiboioffice203@gmail.com"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: ZAM#U00d3WIENIE.exeVirustotal: Detection: 39%Perma Link
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: ZAM#U00d3WIENIE.exeAvira: detected
          Antivirus detection for URL or domainShow sources
          Source: http://mail.tccinfaes.comAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: mail.tccinfaes.comVirustotal: Detection: 11%Perma Link
          Source: 1.0.ZAM#U00d3WIENIE.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.lqmid
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCC9E40 CryptUnprotectData,10_2_1CCC9E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCCA5C0 CryptUnprotectData,10_2_1CCCA5C0
          Source: ZAM#U00d3WIENIE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49798 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.11.20:49799 version: TLS 1.2

          Networking:

          barindex
          Source: Joe Sandbox ViewASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewIP Address: 188.93.227.195 188.93.227.195
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/sr59ucabjssv5b6sasjsuoolj4ev8erp/1634114925000/00014782062933200622/*/1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyY?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-88-docs.googleusercontent.comConnection: Keep-Alive
          Source: global trafficTCP traffic: 192.168.11.20:49801 -> 188.93.227.195:587
          Source: global trafficTCP traffic: 192.168.11.20:49801 -> 188.93.227.195:587
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
          Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: RegAsm.exe, 0000000A.00000002.47770968136.000000001DFE6000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpString found in binary or memory: http://PBlDXJ.com
          Source: RegAsm.exe, 0000000A.00000002.47771610172.000000001E06B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
          Source: RegAsm.exe, 0000000A.00000002.47759222438.0000000001060000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: RegAsm.exe, 0000000A.00000002.47759222438.0000000001060000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: RegAsm.exe, 0000000A.00000002.47776987806.0000000020050000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: RegAsm.exe, 0000000A.00000002.47776987806.0000000020050000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enY
          Source: RegAsm.exe, 0000000A.00000002.47770968136.000000001DFE6000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.47771832684.000000001E096000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000003.44277086950.00000000011B1000.00000004.00000001.sdmpString found in binary or memory: http://fO3rkfp1rVsTw1Nq.net
          Source: RegAsm.exe, 0000000A.00000002.47770968136.000000001DFE6000.00000004.00000001.sdmpString found in binary or memory: http://fO3rkfp1rVsTw1Nq.nett-ql
          Source: RegAsm.exe, 0000000A.00000002.47771610172.000000001E06B000.00000004.00000001.sdmpString found in binary or memory: http://mail.tccinfaes.com
          Source: RegAsm.exe, 0000000A.00000002.47771610172.000000001E06B000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
          Source: RegAsm.exe, 0000000A.00000002.47771610172.000000001E06B000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
          Source: RegAsm.exe, 0000000A.00000002.47771610172.000000001E06B000.00000004.00000001.sdmpString found in binary or memory: http://tccinfaes.com
          Source: RegAsm.exe, 0000000A.00000002.47771610172.000000001E06B000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
          Source: RegAsm.exe, 0000000A.00000002.47776987806.0000000020050000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.47759222438.0000000001060000.00000004.00000020.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.10.drString found in binary or memory: http://x1.i.lencr.org/
          Source: RegAsm.exe, 0000000A.00000002.47771610172.000000001E06B000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
          Source: RegAsm.exe, 0000000A.00000003.43346811095.0000000001070000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
          Source: RegAsm.exe, 0000000A.00000002.47758953442.000000000102D000.00000004.00000020.sdmpString found in binary or memory: https://doc-0c-88-docs.googleusercontent.com/
          Source: RegAsm.exe, 0000000A.00000002.47758953442.000000000102D000.00000004.00000020.sdmpString found in binary or memory: https://doc-0c-88-docs.googleusercontent.com/&
          Source: RegAsm.exe, 0000000A.00000003.43350525856.0000000001070000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-88-docs.googleusercontent.com/docrO
          Source: RegAsm.exe, 0000000A.00000003.43346811095.0000000001070000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-88-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/sr59ucab
          Source: RegAsm.exe, 0000000A.00000002.47758636783.0000000000FE8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
          Source: RegAsm.exe, 0000000A.00000002.47758636783.0000000000FE8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyY
          Source: RegAsm.exe, 0000000A.00000003.43346811095.0000000001070000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyYKXe3C2iZ68gCJpLiE
          Source: RegAsm.exe, 0000000A.00000002.47758636783.0000000000FE8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyYr5
          Source: RegAsm.exe, 0000000A.00000002.47758479429.0000000000F50000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyYwininet.dllMozilla/5
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.47776226547.000000001E454000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
          Source: RegAsm.exe, 0000000A.00000002.47776226547.000000001E454000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
          Source: RegAsm.exe, 0000000A.00000002.47770259316.000000001DF51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: unknownDNS traffic detected: queries for: drive.google.com
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/sr59ucabjssv5b6sasjsuoolj4ev8erp/1634114925000/00014782062933200622/*/1FviMSiMRSfWOgPLBlxlGQKvgWlfpijyY?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-88-docs.googleusercontent.comConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49798 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.11.20:49799 version: TLS 1.2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file
          Source: ZAM#U00d3WIENIE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_004016FE1_2_004016FE
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_0040174B1_2_0040174B
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_0040150F1_2_0040150F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CC113010_2_00CC1130
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CCBA5810_2_00CCBA58
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CC3A5010_2_00CC3A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CC432010_2_00CC4320
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CCC7B810_2_00CCC7B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CC370810_2_00CC3708
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CD55B010_2_00CD55B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CD5F7710_2_00CD5F77
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CD004010_2_00CD0040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CD614710_2_00CD6147
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CDA30010_2_00CDA300
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CD797810_2_00CD7978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00D26D9010_2_00D26D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00D207E010_2_00D207E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_012E993710_2_012E9937
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_012EC3A510_2_012EC3A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_012E4EB010_2_012E4EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_012EF2E810_2_012EF2E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_012E333010_2_012E3330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_012ED7A810_2_012ED7A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCCE4E810_2_1CCCE4E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCC2ADD10_2_1CCC2ADD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCCBAA010_2_1CCCBAA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCC6E0010_2_1CCC6E00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCCB1F810_2_1CCCB1F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCC754810_2_1CCC7548
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCCCA9810_2_1CCCCA98
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1CCC764810_2_1CCC7648
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1DDB5E0810_2_1DDB5E08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1DDB4ACC10_2_1DDB4ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1DDB5D2010_2_1DDB5D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1DDB6AD110_2_1DDB6AD1
          Source: ZAM#U00d3WIENIE.exe, 00000001.00000000.42712268826.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameENSARTET.exe vs ZAM#U00d3WIENIE.exe
          Source: ZAM#U00d3WIENIE.exeBinary or memory string: OriginalFilenameENSARTET.exe vs ZAM#U00d3WIENIE.exe
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
          Source: ZAM#U00d3WIENIE.exeVirustotal: Detection: 39%
          Source: ZAM#U00d3WIENIE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe'
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe'
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe'
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe' Jump to behavior
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe' Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3DJump to behavior
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeFile created: C:\Users\user\AppData\Local\Temp\~DF7B2EBF754B6A6AD7.TMPJump to behavior
          Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@6/3@4/3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:304:WilStaging_02
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_00403A41 push ds; ret 1_2_00403A44
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_0040347B push edx; iretd 1_2_004034AA
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_00404C38 push 0000002Fh; ret 1_2_00404C3A
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_00403EDB push ss; ret 1_2_00403EDC
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_004042EE push ds; ret 1_2_00404308
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_004060F5 push ds; ret 1_2_004060F8
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_00405E83 push ebx; iretd 1_2_00405EA4
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_004056A7 push ds; ret 1_2_004056B8
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_004044B9 push ebp; iretd 1_2_004044BA
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_00403955 push ds; ret 1_2_00403960
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_00404367 push edx; ret 1_2_00404368
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_00405B03 push ds; retf 1_2_00405B10
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_0040413E push ss; iretd 1_2_00404148
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_004069F1 push ds; iretd 1_2_00406A20
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_0040419B push ss; iretd 1_2_00404148
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_0040539E push 00000033h; ret 1_2_004053A0
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_023B2669 push ebx; iretd 1_2_023B266B
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_023B084A push ss; iretd 1_2_023B0857
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_023B4ACE push eax; ret 1_2_023B4AD0
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_023B557A push ds; retf 1_2_023B557B
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_023B457D push eax; retf 1_2_023B457C
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_023B4561 push eax; retf 1_2_023B457C
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 1_2_023B31B4 push ecx; retf 1_2_023B3244
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CDB838 push ebx; retf 10_2_00CDC186
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CDC178 push ebx; retf 10_2_00CDC186
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00CDBBA0 push ebx; retf 10_2_00CDBBCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00D21918 push ds; ret 10_2_00D21A0F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00D230B1 push BBD81CD0h; retf 10_2_00D230BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00DBC1D8 push ds; retf 10_2_00DBC1DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00DBC1FC push ds; retf 10_2_00DBC1FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00DBC1F0 push ds; retf 10_2_00DBC1F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: <