Loading ...

Play interactive tourEdit tour

Analysis Report New Order.exe

Overview

General Information

Sample Name:New Order.exe
Analysis ID:286323
MD5:de62a5dab135dba7f992aa357d7a5ce2
SHA1:a8070428eca816b47d177396c3b579ed5d30bfcc
SHA256:d18b49a5a492666909ad1d1d9f17b538d4c7da9c804fd5f694170ba46a05c708
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • New Order.exe (PID: 3904 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: DE62A5DAB135DBA7F992AA357D7A5CE2)
    • schtasks.exe (PID: 1520 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • New Order.exe (PID: 1772 cmdline: {path} MD5: DE62A5DAB135DBA7F992AA357D7A5CE2)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "GCaAkKV7t2fRtv", "URL: ": "https://v1wedKeiiqO.org", "To: ": "bdconsignment@unsecuritypeacekingkeeping.us", "ByHost: ": "mail.gayaceramic.com:587", "Password: ": "Jnd7W94LXyu", "From: ": "info@gayaceramic.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.460503140.000000000338C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.460503140.000000000338C000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.197272097.000000000369A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.452149469.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.460332339.0000000003301000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.New Order.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\New Order.exe' , ParentImage: C:\Users\user\Desktop\New Order.exe, ParentProcessId: 3904, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp', ProcessId: 1520

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: New Order.exe.1772.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "GCaAkKV7t2fRtv", "URL: ": "https://v1wedKeiiqO.org", "To: ": "bdconsignment@unsecuritypeacekingkeeping.us", "ByHost: ": "mail.gayaceramic.com:587", "Password: ": "Jnd7W94LXyu", "From: ": "info@gayaceramic.com"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\VUnUiAmf.exeVirustotal: Detection: 20%Perma Link
              Source: C:\Users\user\AppData\Roaming\VUnUiAmf.exeReversingLabs: Detection: 47%
              Multi AV Scanner detection for submitted fileShow sources
              Source: New Order.exeVirustotal: Detection: 20%Perma Link
              Source: New Order.exeReversingLabs: Detection: 47%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\VUnUiAmf.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: New Order.exeJoe Sandbox ML: detected
              Source: 3.2.New Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49750 -> 144.208.71.113:587
              Source: global trafficTCP traffic: 192.168.2.6:49750 -> 144.208.71.113:587
              Source: Joe Sandbox ViewASN Name: IMH-WESTUS IMH-WESTUS
              Source: global trafficTCP traffic: 192.168.2.6:49750 -> 144.208.71.113:587
              Source: unknownDNS traffic detected: queries for: mail.gayaceramic.com
              Source: New Order.exe, 00000003.00000002.460332339.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: New Order.exe, 00000003.00000002.460332339.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: New Order.exe, 00000003.00000002.460845508.000000000340C000.00000004.00000001.sdmpString found in binary or memory: http://gayaceramic.com
              Source: New Order.exe, 00000003.00000002.460332339.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://keVftO.com
              Source: New Order.exe, 00000003.00000002.460845508.000000000340C000.00000004.00000001.sdmpString found in binary or memory: http://mail.gayaceramic.com
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: New Order.exe, 00000000.00000002.194852299.0000000002641000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
              Source: New Order.exe, 00000003.00000002.460332339.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: New Order.exe, 00000000.00000002.197272097.000000000369A000.00000004.00000001.sdmp, New Order.exe, 00000003.00000002.452149469.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: New Order.exe, 00000003.00000002.460332339.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: New Order.exe, 00000003.00000002.460503140.000000000338C000.00000004.00000001.sdmp, New Order.exe, 00000003.00000002.460889479.0000000003419000.00000004.00000001.sdmpString found in binary or memory: https://v1wedKeiiqO.org
              Source: New Order.exe, 00000000.00000002.197272097.000000000369A000.00000004.00000001.sdmp, New Order.exe, 00000003.00000002.452149469.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: New Order.exe, 00000003.00000002.460332339.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: New Order.exe
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00BA8FC80_2_00BA8FC8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00BA9FB80_2_00BA9FB8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C344C00_2_04C344C0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3F4200_2_04C3F420
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C34FF80_2_04C34FF8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C327100_2_04C32710
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3E7100_2_04C3E710
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C370A00_2_04C370A0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3E0400_2_04C3E040
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C330700_2_04C33070
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C358300_2_04C35830
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3CA580_2_04C3CA58
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C362280_2_04C36228
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C35C990_2_04C35C99
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3A49F0_2_04C3A49F
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C35CA80_2_04C35CA8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C344B00_2_04C344B0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3A4B80_2_04C3A4B8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3946A0_2_04C3946A
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C394780_2_04C39478
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3CD380_2_04C3CD38
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C38ED80_2_04C38ED8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C396E00_2_04C396E0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C38EE80_2_04C38EE8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C396F00_2_04C396F0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C34FE70_2_04C34FE7
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3F7980_2_04C3F798
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C37FA90_2_04C37FA9
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C37FB80_2_04C37FB8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C317560_2_04C31756
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C317580_2_04C31758
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C398D80_2_04C398D8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C398E80_2_04C398E8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3708F0_2_04C3708F
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C330600_2_04C33060
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C358220_2_04C35822
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3D9780_2_04C3D978
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_017821783_2_01782178
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_01784CB83_2_01784CB8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_032A46A03_2_032A46A0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_032A35C43_2_032A35C4
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_032A46503_2_032A4650
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_032A45D03_2_032A45D0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_032A53903_2_032A5390
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_032A35B83_2_032A35B8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_032AD9603_2_032AD960
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064E6C703_2_064E6C70
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064E94F83_2_064E94F8
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064E75403_2_064E7540
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064EF8803_2_064EF880
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064E69283_2_064E6928
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064E25713_2_064E2571
              Source: New Order.exeBinary or memory string: OriginalFilename vs New Order.exe
              Source: New Order.exe, 00000000.00000002.200330269.00000000064A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New Order.exe
              Source: New Order.exe, 00000000.00000002.200330269.00000000064A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New Order.exe
              Source: New Order.exe, 00000000.00000002.194852299.0000000002641000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs New Order.exe
              Source: New Order.exe, 00000000.00000002.199853553.00000000063B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New Order.exe
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNqOdTZwNYxJUUENyuUMjeHWLK.exe4 vs New Order.exe
              Source: New Order.exe, 00000000.00000002.197272097.000000000369A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename7aj.exe: vs New Order.exe
              Source: New Order.exe, 00000000.00000002.197272097.000000000369A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs New Order.exe
              Source: New Order.exeBinary or memory string: OriginalFilename vs New Order.exe
              Source: New Order.exe, 00000003.00000002.459028571.0000000001770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs New Order.exe
              Source: New Order.exe, 00000003.00000002.469298977.0000000006A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order.exe
              Source: New Order.exe, 00000003.00000002.466308942.0000000005850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs New Order.exe
              Source: New Order.exe, 00000003.00000002.454377215.0000000001337000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order.exe
              Source: New Order.exe, 00000003.00000002.452149469.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUNqOdTZwNYxJUUENyuUMjeHWLK.exe4 vs New Order.exe
              Source: New Order.exeBinary or memory string: OriginalFilename7aj.exe: vs New Order.exe
              Source: New Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: VUnUiAmf.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@2/1
              Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\VUnUiAmf.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_01
              Source: C:\Users\user\Desktop\New Order.exeMutant created: \Sessions\1\BaseNamedObjects\jRDzCgTaRvYGY
              Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD69A.tmpJump to behavior
              Source: New Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: New Order.exeVirustotal: Detection: 20%
              Source: New Order.exeReversingLabs: Detection: 47%
              Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Users\user\Desktop\New Order.exe:Zone.IdentifierJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe {path}
              Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: New Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: New Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)Show sources
              Source: New Order.exe, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ???????Q?W }, null, null)
              Source: VUnUiAmf.exe.0.dr, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ???????Q?W }, null, null)
              Source: 0.0.New Order.exe.120000.0.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ???????Q?W }, null, null)
              Source: 0.2.New Order.exe.120000.0.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ???????Q?W }, null, null)
              Source: 3.2.New Order.exe.eb0000.1.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ???????Q?W }, null, null)
              Source: 3.0.New Order.exe.eb0000.0.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ???????Q?W }, null, null)
              .NET source code contains potential unpackerShow sources
              Source: New Order.exe, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: M?zaDobj??Ja System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: VUnUiAmf.exe.0.dr, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: M?zaDobj??Ja System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.New Order.exe.120000.0.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: M?zaDobj??Ja System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.New Order.exe.120000.0.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: M?zaDobj??Ja System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.2.New Order.exe.eb0000.1.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: M?zaDobj??Ja System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.0.New Order.exe.eb0000.0.unpack, agDX??jxvMEv/?ZvBd?uZi??EJ.cs.Net Code: M?zaDobj??Ja System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3A48B pushfd ; ret 0_2_04C3A48E
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3174A push 2C04B67Fh; iretd 0_2_04C31755
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3706F push 6CD204C3h; ret 0_2_04C37076
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3700B push 6E2E04C3h; ret 0_2_04C37012
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3A008 push edx; retf 0_2_04C3A009
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C37037 push 658C04C3h; ret 0_2_04C37052
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C3A2DB push ecx; ret 0_2_04C3A2DD
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_0178BBC0 push es; ret 3_2_0178BBD0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_01784BB0 push es; ret 3_2_01784BC0
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_01783FC6 push esi; iretd 3_2_01783FC7
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064E8540 push es; ret 3_2_064E8550
              Source: initial sampleStatic PE information: section name: .text entropy: 7.84278722317
              Source: initial sampleStatic PE information: section name: .text entropy: 7.84278722317
              Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Roaming\VUnUiAmf.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp'
              Source: C:\Users\user\Desktop\New Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: Process Memory Space: New Order.exe PID: 3904, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeWindow / User API: threadDelayed 454Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5180Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 4532Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 6972Thread sleep count: 257 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -59718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 6972Thread sleep count: 454 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -89250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -88968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -58906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -58406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -57312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -56218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -52718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -52000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -49406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -49218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -47218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -47000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -46312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -45906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -68577s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -45218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -44812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -44312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -44094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -43718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -43218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -43000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -42812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -42594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -42218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -41906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -41312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -40812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -40594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -39094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -38906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -36906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -54468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -34906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -34718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -34406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -33812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -32906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -31812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -46359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -33468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -30468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -58718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -58000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -46594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -40312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -39812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -39594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -38500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -38312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -36094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -35218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -34218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -33094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -31094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exe TID: 5824Thread sleep time: -45609s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\New Order.exeLast function: Thread delayed
              Source: New Order.exe, 00000000.00000002.199178508.0000000005680000.00000004.00000001.sdmpBinary or memory string: KtWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMware]
              Source: New Order.exe, 00000000.00000002.199178508.0000000005680000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New Order.exe, 00000000.00000002.199178508.0000000005680000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-00066328177display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMware
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: New Order.exe, 00000003.00000002.469077333.0000000006993000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: m"SOFTWARE\VMware, Inc.\VMware Tools
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: New Order.exe, 00000000.00000002.195044573.0000000002795000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: C:\Users\user\Desktop\New Order.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging:

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
              Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_04C341F0 CheckRemoteDebuggerPresent,0_2_04C341F0
              Source: C:\Users\user\Desktop\New Order.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_017843F0 LdrInitializeThunk,3_2_017843F0
              Source: C:\Users\user\Desktop\New Order.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\New Order.exeMemory written: C:\Users\user\Desktop\New Order.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUnUiAmf' /XML 'C:\Users\user\AppData\Local\Temp\tmpD69A.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe {path}Jump to behavior
              Source: New Order.exe, 00000003.00000002.459778388.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: New Order.exe, 00000003.00000002.459778388.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: New Order.exe, 00000003.00000002.459778388.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: New Order.exe, 00000003.00000002.459778388.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New Order.exeCode function: 3_2_064E5A94 GetUserNameW,3_2_064E5A94
              Source: C:\Users\user\Desktop\New Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information: