Loading ...

Play interactive tourEdit tour

Windows Analysis Report PEDIDO.exe

Overview

General Information

Sample Name:PEDIDO.exe
Analysis ID:1664
MD5:8bc016e5779262b772d16903af6e142c
SHA1:5fa020fa3a63a481eff19fca06e11c424d346e9f
SHA256:69a8e2fa9664dce4cb9ab2d1a2e7ba67bd0516b9e4c8608e9c246d614be3241f
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • PEDIDO.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\PEDIDO.exe' MD5: 8BC016E5779262B772D16903AF6E142C)
    • RegAsm.exe (PID: 412 cmdline: 'C:\Users\user\Desktop\PEDIDO.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 420 cmdline: 'C:\Users\user\Desktop\PEDIDO.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 432 cmdline: 'C:\Users\user\Desktop\PEDIDO.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 428 cmdline: 'C:\Users\user\Desktop\PEDIDO.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comsarahmorg434@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.69378058879.0000000002AA0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 428JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 428JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 188.93.227.195, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 428, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49827

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: conhost.exe.7136.7.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comsarahmorg434@gmail.com"}
            Antivirus detection for URL or domainShow sources
            Source: http://mail.tccinfaes.comAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: mail.tccinfaes.comVirustotal: Detection: 11%Perma Link
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9C2338 CryptUnprotectData,6_2_1C9C2338
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9C2A70 CryptUnprotectData,6_2_1C9C2A70
            Source: PEDIDO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49796 version: TLS 1.2

            Networking:

            barindex
            Source: Joe Sandbox ViewASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Joe Sandbox ViewIP Address: 188.93.227.195 188.93.227.195
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rnd0dmujjgbkrh52f3e2mg4i3inr6at3/1634201175000/11595216098898371304/*/1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-as-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49827 -> 188.93.227.195:587
            Source: global trafficTCP traffic: 192.168.11.20:49827 -> 188.93.227.195:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000006.00000002.74042766614.000000001DCF9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000003.70287265297.0000000000F61000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74043481824.000000001DD48000.00000004.00000001.sdmpString found in binary or memory: http://1rfE3t8xqRYG9cY.net
            Source: RegAsm.exe, 00000006.00000002.74042766614.000000001DCF9000.00000004.00000001.sdmpString found in binary or memory: http://1rfE3t8xqRYG9cY.netD
            Source: RegAsm.exe, 00000006.00000002.74042766614.000000001DCF9000.00000004.00000001.sdmpString found in binary or memory: http://1rfE3t8xqRYG9cY.nett-
            Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmpString found in binary or memory: http://GkEcfT.com
            Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000006.00000002.74049220847.000000001FD60000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: RegAsm.exe, 00000006.00000002.74049220847.000000001FD60000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enr
            Source: RegAsm.exe, 00000006.00000002.74043153246.000000001DD1B000.00000004.00000001.sdmpString found in binary or memory: http://mail.tccinfaes.com
            Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
            Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: RegAsm.exe, 00000006.00000002.74043153246.000000001DD1B000.00000004.00000001.sdmpString found in binary or memory: http://tccinfaes.com
            Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: RegAsm.exe, 00000006.00000002.74032045876.0000000000ED3000.00000004.00000020.sdmp, 2D85F72862B55C4EADD9E66E06947F3D.6.drString found in binary or memory: http://x1.i.lencr.org/
            Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: RegAsm.exe, 00000006.00000002.74032045876.0000000000ED3000.00000004.00000020.sdmpString found in binary or memory: http://x1.i.lencr.org/:Z
            Source: RegAsm.exe, 00000006.00000002.74049220847.000000001FD60000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/D
            Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org:80/=
            Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000006.00000002.74031926505.0000000000EB8000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-as-docs.googleusercontent.com/
            Source: RegAsm.exe, 00000006.00000003.69349876616.0000000000EE7000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-as-docs.googleusercontent.com/%%doc-0g-as-docs.googleusercontent.com
            Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rnd0dmuj
            Source: RegAsm.exe, 00000006.00000002.74031570400.0000000000E68000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 00000006.00000002.74031570400.0000000000E68000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/n
            Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74031185324.0000000000DB0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP
            Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP2Z18XHWq5VUtwT2Ok
            Source: RegAsm.exe, 00000006.00000002.74031570400.0000000000E68000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBPE
            Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74042361635.000000001DCB3000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 00000006.00000002.74042361635.000000001DCB3000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rnd0dmujjgbkrh52f3e2mg4i3inr6at3/1634201175000/11595216098898371304/*/1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-as-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49796 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file
            Source: PEDIDO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_004016731_2_00401673
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_004016261_2_00401626
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_004014371_2_00401437
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA52901_2_02AA5290
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA16231_2_02AA1623
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA1A0E1_2_02AA1A0E
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA398D1_2_02AA398D
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA67331_2_02AA6733
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA071E1_2_02AA071E
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA391C1_2_02AA391C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00A411306_2_00A41130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00A43A506_2_00A43A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00A4BA586_2_00A4BA58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00A443206_2_00A44320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00A4C7B86_2_00A4C7B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00A437086_2_00A43708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00AA6D906_2_00AA6D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00AA07E06_2_00AA07E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00B3C04B6_2_00B3C04B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00B3BF796_2_00B3BF79
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00E478D06_2_00E478D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00E4F5406_2_00E4F540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00E47A3F6_2_00E47A3F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00E4D7A86_2_00E4D7A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00E467286_2_00E46728
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00E444F86_2_00E444F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00E433306_2_00E43330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9C70966_2_1C9C7096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9CAC286_2_1C9CAC28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9C69086_2_1C9C6908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9CF2606_2_1C9CF260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9CCB976_2_1C9CCB97
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9C00066_2_1C9C0006
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9C00406_2_1C9C0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9C61486_2_1C9C6148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1FD45E086_2_1FD45E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1FD44ACC6_2_1FD44ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1FD45DC16_2_1FD45DC1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1FD46AF16_2_1FD46AF1
            Source: PEDIDO.exe, 00000001.00000000.68987414671.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe
            Source: PEDIDO.exeBinary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe
            Source: C:\Users\user\Desktop\PEDIDO.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: PEDIDO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PEDIDO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\PEDIDO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PEDIDO.exe 'C:\Users\user\Desktop\PEDIDO.exe'
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3DJump to behavior
            Source: C:\Users\user\Desktop\PEDIDO.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFF706F9495D122F7.TMPJump to behavior
            Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@10/3@4/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.69378058879.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_00405AC6 push esi; ret 1_2_00405ACD
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_004046A8 push es; ret 1_2_004046EF
            Source: C:\Users\user\Desktop\PEDIDO.exeCode function: 1_2_02AA095A push es; retf 1_2_02AA095C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_1C9CAC28 push edi; retn 1C9Ch6_2_1C9CC81D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\PEDIDO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX