Loading ...

Play interactive tourEdit tour

Analysis Report SUNCOAST-purchase-order.XML.newfile.xls.email.exe

Overview

General Information

Sample Name:SUNCOAST-purchase-order.XML.newfile.xls.email.exe
Analysis ID:255472
MD5:1d0a3add6c6703a3d1ec62e72e17bb92
SHA1:5e7976dd454082391f258365aece4a0af91c9940
SHA256:a453ccce3dcd1e9b412dbe724af9a04c4f91c994097258f935cf23301156615b

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM_3
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "BELsEtdJwE6VYi", "URL: ": "http://M2Huy166I2o7nP3C2wv5.org", "To: ": "mobile.mailer@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "yL9EFpP", "From: ": "mobile.mailer@yandex.com"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SUNCOAST-purchase-order.XML.newfile.xls.email.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xfe8d:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1546555448.0000000000EE2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xfc8d:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000002.1549066948.00000000034B8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.1549066948.00000000034B8000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1299513311.0000000004001000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000000.1295950495.00000000001E2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0xfc8d:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.ee0000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0xfe8d:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        0.0.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.bb0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0xfe8d:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        2.2.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          1.2.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.1e0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0xfe8d:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          2.0.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.ee0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0xfe8d:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          Click to see the 2 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe.6156.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "BELsEtdJwE6VYi", "URL: ": "http://M2Huy166I2o7nP3C2wv5.org", "To: ": "mobile.mailer@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "yL9EFpP", "From: ": "mobile.mailer@yandex.com"}
          Machine Learning detection for sampleShow sources
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeJoe Sandbox ML: detected
          Source: global trafficTCP traffic: 192.168.2.5:49749 -> 77.88.21.158:587
          Source: global trafficTCP traffic: 192.168.2.5:49749 -> 77.88.21.158:587
          Source: unknownDNS traffic detected: queries for: smtp.yandex.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1549066948.00000000034B8000.00000004.00000001.sdmp, SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000003.1381267488.00000000014E4000.00000004.00000001.sdmp, SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1549980208.00000000035AE000.00000004.00000001.sdmp, SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1550322095.0000000003602000.00000004.00000001.sdmpString found in binary or memory: http://M2Huy166I2o7nP3C2wv5.org
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1550145075.00000000035D8000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmp, SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1283242816.0000000005EFD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1283482350.0000000005F0B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frer
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmp, SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1283455379.0000000005F0B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1283242816.0000000005EFD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1297758607.0000000005EF0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comY
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1297758607.0000000005EF0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1297758607.0000000005EF0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiona
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1277461772.0000000005F0B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comr0
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmp, SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000003.1277233997.0000000005F13000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1302575015.0000000005FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0

          System Summary:

          barindex
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_016DE9180_2_016DE918
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_016DE9100_2_016DE910
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_016DBF3C0_2_016DBF3C
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA35700_2_07BA3570
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA00400_2_07BA0040
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA59D80_2_07BA59D8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA681A0_2_07BA681A
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA35610_2_07BA3561
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA938F0_2_07BA938F
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA91900_2_07BA9190
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA91800_2_07BA9180
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA00060_2_07BA0006
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA3E500_2_07BA3E50
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA8C000_2_07BA8C00
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA0BA80_2_07BA0BA8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA0B080_2_07BA0B08
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA0B4D0_2_07BA0B4D
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BAAB400_2_07BAAB40
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA59A50_2_07BA59A5
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA38100_2_07BA3810
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_015CFB302_2_015CFB30
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_015CFB2E2_2_015CFB2E
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5F2502_2_05C5F250
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5A1782_2_05C5A178
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5B4352_2_05C5B435
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5AFF62_2_05C5AFF6
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C50F602_2_05C50F60
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5BF7F2_2_05C5BF7F
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C55F202_2_05C55F20
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5BF352_2_05C5BF35
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C57ED82_2_05C57ED8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5BEEB2_2_05C5BEEB
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5AE932_2_05C5AE93
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5BEA12_2_05C5BEA1
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5BE572_2_05C5BE57
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C556502_2_05C55650
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5BE0D2_2_05C5BE0D
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5C1472_2_05C5C147
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5A1782_2_05C5A178
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C590C82_2_05C590C8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C590B92_2_05C590B9
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5C0B82_2_05C5C0B8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5C06E2_2_05C5C06E
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5C0242_2_05C5C024
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C553082_2_05C55308
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069636D02_2_069636D0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069665A02_2_069665A0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06965AC02_2_06965AC0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06962B982_2_06962B98
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06968B5A2_2_06968B5A
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069650882_2_06965088
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069648F02_2_069648F0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069600402_2_06960040
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069619902_2_06961990
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_0696C1D12_2_0696C1D1
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069636C22_2_069636C2
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069667792_2_06966779
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06966C882_2_06966C88
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06966C7A2_2_06966C7A
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069665902_2_06966590
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06960D582_2_06960D58
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06960D4E2_2_06960D4E
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_0696CA982_2_0696CA98
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06965AB02_2_06965AB0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06963A2F2_2_06963A2F
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06962B882_2_06962B88
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06963BEB2_2_06963BEB
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06965B412_2_06965B41
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069648E02_2_069648E0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069600062_2_06960006
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_069669AA2_2_069669AA
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8E6D82_2_06A8E6D8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A882202_2_06A88220
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8C2302_2_06A8C230
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8F7B82_2_06A8F7B8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A893602_2_06A89360
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A800402_2_06A80040
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A882022_2_06A88202
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8AE402_2_06A8AE40
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A88FB62_2_06A88FB6
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8AFC52_2_06A8AFC5
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A893512_2_06A89351
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A888AA2_2_06A888AA
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A888B82_2_06A888B8
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8B4802_2_06A8B480
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8B4702_2_06A8B470
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8898C2_2_06A8898C
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A889F42_2_06A889F4
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A889652_2_06A88965
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C510582_2_05C51058
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeBinary or memory string: OriginalFilename vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1298901431.0000000002F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1299513311.0000000004001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRMJClIuaRNPakjfzrvWLtn.exe4 vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1299513311.0000000004001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeBinary or memory string: OriginalFilename vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeBinary or memory string: OriginalFilename vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1554474306.0000000006990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1554405762.0000000006980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1554239963.0000000006970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1552608482.0000000006360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1547722719.00000000015DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1546520465.0000000000448000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRMJClIuaRNPakjfzrvWLtn.exe4 vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1546793367.00000000012F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeBinary or memory string: OriginalFilenamevOWAk.exe2 vs SUNCOAST-purchase-order.XML.newfile.xls.email.exe
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000002.00000002.1546555448.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000001.00000000.1295950495.00000000001E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000002.00000000.1297047614.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000001.00000002.1296417216.00000000001E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000002.1297850825.0000000000BB2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000000.1275112773.0000000000BB2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: SUNCOAST-purchase-order.XML.newfile.xls.email.exe PID: 7160, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: SUNCOAST-purchase-order.XML.newfile.xls.email.exe PID: 7104, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: SUNCOAST-purchase-order.XML.newfile.xls.email.exe PID: 6156, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 2.2.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.0.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.bb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 1.2.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.1e0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 2.0.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.2.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.bb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 1.0.SUNCOAST-purchase-order.XML.newfile.xls.email.exe.1e0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/2
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SUNCOAST-purchase-order.XML.newfile.xls.email.exe.logJump to behavior
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe 'C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe {path}
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess created: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess created: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_016DD560 push C3FFFFE9h; ret 0_2_016DD584
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_016DF650 push eax; iretd 0_2_016DF67D
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 0_2_07BA61EC push eax; iretd 0_2_07BA61ED
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5CC02 push E802005Eh; ret 2_2_05C5CC09
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_05C5F010 pushfd ; ret 2_2_05C5F019
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_0696D680 push es; retf 2_2_0696D6D0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_0696C5A0 push es; ret 2_2_0696C5B0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_0696D293 push esp; iretd 2_2_0696D298
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_0696B2C0 push es; ret 2_2_0696B2D6
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06961808 push cs; iretd 2_2_0696180F
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_0696705B push 8BFFFFFFh; ret 2_2_06967061
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8ACDE push eax; iretd 2_2_06A8ACE0
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeCode function: 2_2_06A8512F push edi; retn 0000h2_2_06A85131
          Source: initial sampleStatic PE information: section name: .text entropy: 7.92726289839
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: SUNCOAST-purchase-order.XML.newfile.xls.email.exe PID: 7104, type: MEMORY
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeWindow / User API: threadDelayed 781Jump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 7108Thread sleep time: -41000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 7124Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 6204Thread sleep count: 781 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -89250s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -88923s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -58594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -58376s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -87282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -58000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -57500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -57282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -56876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -56188s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -83673s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -55094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -82314s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -82032s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -81750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -54000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -80673s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -80391s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -80064s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -52876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -79032s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -78750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -52094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -51500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -76500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -50688s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -75750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -49376s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -73782s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -49000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -48594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -48376s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -47688s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -47094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -46000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -45688s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -68250s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -44594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -44376s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -44094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -43876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -43500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -43282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -42188s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -42000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -41094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -40876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -39782s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -36500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -34500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -33594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -33188s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -49500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -32094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -31876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -31594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -31188s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -31000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -30500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -30282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -30094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -58876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -58500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -57782s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -56688s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -84750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -55594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -55376s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -54282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -52282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -51594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -51188s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -50282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -50094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -49876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -48782s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -48094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -47876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -71250s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -46782s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -46594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -46376s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -45282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -39000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -38688s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -38500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -38282s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -37000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -36782s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -35688s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -35500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -34782s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -33876s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -53000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe TID: 3824Thread sleep time: -49500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeLast function: Thread delayed
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1552608482.0000000006360000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1552608482.0000000006360000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1552608482.0000000006360000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000000.00000002.1309144870.0000000009B94000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1555138618.0000000006C30000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: SUNCOAST-purchase-order.XML.newfile.xls.email.exe, 00000002.00000002.1552608482.0000000006360000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SUNCOAST-purchase-order.XML.newfile.xls.email.exe