Loading ...

Play interactive tourEdit tour

Analysis Report Vancouver Cabinets Inc Memo.com

Overview

General Information

Sample Name:Vancouver Cabinets Inc Memo.com (renamed file extension from com to exe)
Analysis ID:298523
MD5:500f1f95a4e22e5bb56304b89bf6e50f
SHA1:c4069cacf194c6e0da1c2b95f346c4f4d94c261d
SHA256:1949fe1f933eb7cf891bc84c6401156d0d223f1a39c708b66951a375a3f76500
Tags:comGuLoader

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
.NET source code references suspicious native API functions
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "EMaxdEDfz5z", "URL: ": "https://ZEKjpsIZyi.net", "To: ": "", "ByHost: ": "excellink.xyz:587", "Password: ": "6Zq8eDlkuig9R", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.594619456.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000001.00000002.598822503.000000001E132000.00000020.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.599661223.000000001E89F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.599553749.000000001E7D6000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: Vancouver Cabinets Inc Memo.exe PID: 6552JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Vancouver Cabinets Inc Memo.exe.1e130000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: Vancouver Cabinets Inc Memo.exeAvira: detected
              Found malware configurationShow sources
              Source: Vancouver Cabinets Inc Memo.exe.6552.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "EMaxdEDfz5z", "URL: ": "https://ZEKjpsIZyi.net", "To: ": "", "ByHost: ": "excellink.xyz:587", "Password: ": "6Zq8eDlkuig9R", "From: ": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Vancouver Cabinets Inc Memo.exeVirustotal: Detection: 33%Perma Link
              Source: Vancouver Cabinets Inc Memo.exeReversingLabs: Detection: 10%
              Source: 0.2.Vancouver Cabinets Inc Memo.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 1.2.Vancouver Cabinets Inc Memo.exe.1e130000.4.unpackAvira: Label: TR/Spy.Gen8
              Source: 1.0.Vancouver Cabinets Inc Memo.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 0.0.Vancouver Cabinets Inc Memo.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: global trafficTCP traffic: 192.168.2.6:49736 -> 198.54.125.197:587
              Source: Joe Sandbox ViewIP Address: 198.54.125.197 198.54.125.197
              Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
              Source: global trafficTCP traffic: 192.168.2.6:49736 -> 198.54.125.197:587
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_1E40A186 recv,1_2_1E40A186
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.598822503.000000001E132000.00000020.00000001.sdmpString found in binary or memory: http://127.0.0.1:
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.599819052.000000001E9F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.602780580.0000000020D40000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.595052393.00000000008DA000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.599819052.000000001E9F0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.599819052.000000001E9F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.595052393.00000000008DA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.595052393.00000000008DA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.599819052.000000001E9F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.599661223.000000001E89F000.00000004.00000001.sdmpString found in binary or memory: https://ZEKjpsIZyi.net
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.598822503.000000001E132000.00000020.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.595052393.00000000008DA000.00000004.00000020.sdmp, Vancouver Cabinets Inc Memo.exe, 00000001.00000002.595029454.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: https://i9ykuq.bn.files.1drv.com/y4mvsdWRsydWfDiFp-SUgTVMCJfAWYGSbGIlj0NmqX5IMc7u6pbooPU5W3h-hmYsaPG
              Source: Vancouver Cabinets Inc Memo.exeString found in binary or memory: https://onedrive.live.com/download?cid=16ACDE72EF8A9E0D&resid=16ACDE72EF8A9E0D%21118&authkey=AIK3xSk
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.599819052.000000001E9F0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.595052393.00000000008DA000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.598822503.000000001E132000.00000020.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.598822503.000000001E132000.00000020.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_0220102C NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_0220102C
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_02202C45 NtResumeThread,0_2_02202C45
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_022028DB NtProtectVirtualMemory,0_2_022028DB
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_02200199 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_02200199
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_02200A22 NtSetInformationThread,TerminateProcess,0_2_02200A22
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_02201703 NtSetInformationThread,TerminateProcess,0_2_02201703
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_02202D48 NtResumeThread,0_2_02202D48
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_00562C45 NtQueryInformationProcess,1_2_00562C45
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_00561703 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,1_2_00561703
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_005628DB NtProtectVirtualMemory,1_2_005628DB
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_00560199 EnumWindows,NtSetInformationThread,1_2_00560199
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_00562D48 NtQueryInformationProcess,1_2_00562D48
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_00560A22 NtSetInformationThread,1_2_00560A22
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_0056102C NtSetInformationThread,1_2_0056102C
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_1E40AD42 NtQuerySystemInformation,1_2_1E40AD42
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_1E40AD20 NtQuerySystemInformation,1_2_1E40AD20
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_20AAC0101_2_20AAC010
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_20AAAAF81_2_20AAAAF8
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_20AAA7B01_2_20AAA7B0
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213891301_2_21389130
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138F9A01_2_2138F9A0
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213895F01_2_213895F0
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138D8601_2_2138D860
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138F4401_2_2138F440
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213840CA1_2_213840CA
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138AB701_2_2138AB70
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_21385FF81_2_21385FF8
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_21384BE81_2_21384BE8
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213846281_2_21384628
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138BA081_2_2138BA08
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_21388E571_2_21388E57
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138AEB81_2_2138AEB8
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138CAD01_2_2138CAD0
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138C2C81_2_2138C2C8
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213891201_2_21389120
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213865F81_2_213865F8
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213895E21_2_213895E2
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138987E1_2_2138987E
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213847311_2_21384731
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213863DD1_2_213863DD
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_2138662B1_2_2138662B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213846191_2_21384619
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213866041_2_21386604
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213866451_2_21386645
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213866E21_2_213866E2
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A67011_2_213A6701
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A79AC1_2_213A79AC
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A69901_2_213A6990
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A8FF81_2_213A8FF8
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A75F01_2_213A75F0
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A5A301_2_213A5A30
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A26781_2_213A2678
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A00701_2_213A0070
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A12581_2_213A1258
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A48581_2_213A4858
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A06401_2_213A0640
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A1D301_2_213A1D30
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A1D211_2_213A1D21
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A07181_2_213A0718
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A070B1_2_213A070B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A69811_2_213A6981
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A93EB1_2_213A93EB
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A91E31_2_213A91E3
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A06321_2_213A0632
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A06111_2_213A0611
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A920E1_2_213A920E
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A00061_2_213A0006
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A26681_2_213A2668
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A12481_2_213A1248
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_213A64901_2_213A6490
              Source: Vancouver Cabinets Inc Memo.exeStatic PE information: invalid certificate
              Source: Vancouver Cabinets Inc Memo.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Vancouver Cabinets Inc Memo.exe, 00000000.00000002.348785149.000000000040D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamethunderbird.exe vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000000.00000002.349398571.00000000021C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.594521230.0000000000100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.602507391.0000000020BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.602522360.0000000020C00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.598909990.000000001E1A2000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameEGCAKnDHJDUGDwsMzKRRr.exe4 vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000000.347910770.000000000040D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamethunderbird.exe vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.598697864.000000001DEE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.594398451.0000000000080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.598670523.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.594555651.0000000000110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Vancouver Cabinets Inc Memo.exe
              Source: Vancouver Cabinets Inc Memo.exeBinary or memory string: OriginalFilenamethunderbird.exe vs Vancouver Cabinets Inc Memo.exe
              Source: 1.2.Vancouver Cabinets Inc Memo.exe.1e130000.4.unpack, e3nXyWx54eXrMCJOPu/eAcKHQHop2SvdpjExo.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.Vancouver Cabinets Inc Memo.exe.1e130000.4.unpack, e3nXyWx54eXrMCJOPu/eAcKHQHop2SvdpjExo.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_1E40A5B6 AdjustTokenPrivileges,1_2_1E40A5B6
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 1_2_1E40A57F AdjustTokenPrivileges,1_2_1E40A57F
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile created: C:\Users\user\AppData\Roaming\3thh3skt.c4mJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA918AE071396D8E1.TMPJump to behavior
              Source: Vancouver Cabinets Inc Memo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Vancouver Cabinets Inc Memo.exeVirustotal: Detection: 33%
              Source: Vancouver Cabinets Inc Memo.exeReversingLabs: Detection: 10%
              Source: unknownProcess created: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe 'C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe 'C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe'
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess created: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe 'C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe' Jump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Binary string: mscorrc.pdb source: Vancouver Cabinets Inc Memo.exe, 00000001.00000002.594398451.0000000000080000.00000002.00000001.sdmp

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000001.00000002.594619456.0000000000560000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Vancouver Cabinets Inc Memo.exe PID: 6552, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Vancouver Cabinets Inc Memo.exe PID: 3168, type: MEMORY
              Yara detected VB6 Downloader GenericShow sources
              Source: Yara matchFile source: Process Memory Space: Vancouver Cabinets Inc Memo.exe PID: 6552, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Vancouver Cabinets Inc Memo.exe PID: 3168, type: MEMORY
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407E40 push 00401150h; ret 0_2_00407E53
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407A44 push 00401150h; ret 0_2_00407A57
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C4C push 00401150h; ret 0_2_00407C5F
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407A58 push 00401150h; ret 0_2_00407A6B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C60 push 00401150h; ret 0_2_00407C73
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407A6C push 00401150h; ret 0_2_00407A7F
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C74 push 00401150h; ret 0_2_00407C87
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407E04 push 00401150h; ret 0_2_00407E17
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C10 push 00401150h; ret 0_2_00407C23
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407E18 push 00401150h; ret 0_2_00407E2B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C24 push 00401150h; ret 0_2_00407C37
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407A30 push 00401150h; ret 0_2_00407A43
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C38 push 00401150h; ret 0_2_00407C4B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407CC4 push 00401150h; ret 0_2_00407CD7
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407AD0 push 00401150h; ret 0_2_00407AE3
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407CD8 push 00401150h; ret 0_2_00407CEB
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407AE4 push 00401150h; ret 0_2_00407AF7
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407CEC push 00401150h; ret 0_2_00407CFF
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407AF8 push 00401150h; ret 0_2_00407B0B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407A80 push 00401150h; ret 0_2_00407A93
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C88 push 00401150h; ret 0_2_00407C9B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407A94 push 00401150h; ret 0_2_00407AA7
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407C9C push 00401150h; ret 0_2_00407CAF
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_004074A0 push 00401150h; ret 0_2_00407A2F
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407AA8 push 00401150h; ret 0_2_00407ABB
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407CB0 push 00401150h; ret 0_2_00407CC3
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407ABC push 00401150h; ret 0_2_00407ACF
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407B48 push 00401150h; ret 0_2_00407B5B
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407D50 push 00401150h; ret 0_2_00407D63
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407B5C push 00401150h; ret 0_2_00407B6F
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_00407D64 push 00401150h; ret 0_2_00407D77
              Source: 1.2.Vancouver Cabinets Inc Memo.exe.1e130000.4.unpack, e3nXyWx54eXrMCJOPu/eAcKHQHop2SvdpjExo.csHigh entropy of concatenated method names: '.cctor', 'C1cPOtYij1Lai', 'eWaH61iq7', 'eLDx5Mj1j', 'eGN9hjVJU', 'eJNVII0RA', 'NvQ34uZt895nxEhi2FIr', 'ecKhHQop2', 'eSvjdpjEx', 'eo35nXyW5'

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Moves itself to temp directoryShow sources
              Source: c:\users\user\desktop\vancouver cabinets inc memo.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG833.tmpJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeRDTSC instruction interceptor: First address: 0000000002202495 second address: 0000000002202495 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F5E487F2B78h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F5E487F2B63h 0x00000028 push ecx 0x00000029 call 00007F5E487F2B89h 0x0000002e call 00007F5E487F2B8Ah 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect Any.runShow sources
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Vancouver Cabinets Inc Memo.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeRDTSC instruction interceptor: First address: 0000000002202495 second address: 0000000002202495 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F5E487F2B78h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F5E487F2B63h 0x00000028 push ecx 0x00000029 call 00007F5E487F2B89h 0x0000002e call 00007F5E487F2B8Ah 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeRDTSC instruction interceptor: First address: 00000000022024B7 second address: 00000000022024B7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F5E48818CCEh 0x0000001f popad 0x00000020 call 00007F5E48818BC5h 0x00000025 lfence 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeRDTSC instruction interceptor: First address: 00000000005624B7 second address: 00000000005624B7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F5E487F2CCEh 0x0000001f popad 0x00000020 call 00007F5E487F2BC5h 0x00000025 lfence 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeCode function: 0_2_02200027 rdtsc 0_2_02200027
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -57592s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -56874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -56000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -55186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -55000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -54780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -81138s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -53686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -53000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -52780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -52374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -77529s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -51500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -51280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -75888s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -50374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -50186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -74250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -72888s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -72561s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -72279s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -72000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -47780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -95000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -70920s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -70638s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -70311s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -46686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -69279s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -92000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -68670s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -67638s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -67311s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -44686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -66750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -88000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -65670s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -43374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -43000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -42686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -42280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -41592s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -41186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -40686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -40280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -40092s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -39280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -38780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -35874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Vancouver Cabinets Inc Memo.exe TID: 6708Thread sleep time: -35374s >= -30000s