Loading ...

Play interactive tourEdit tour

Analysis Report REQUEST FOR OFFER.exe

Overview

General Information

Sample Name:REQUEST FOR OFFER.exe
Analysis ID:356550
MD5:0fc3feecc0164c588f7afab6e51d566b
SHA1:60115fc27261ecf866c1900d3d5f59520a2ab65a
SHA256:b5a2fbfeb80e2e92039a23615df8b8f63f42d1331528f514b312d4946dc22607
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • REQUEST FOR OFFER.exe (PID: 4156 cmdline: 'C:\Users\user\Desktop\REQUEST FOR OFFER.exe' MD5: 0FC3FEECC0164C588F7AFAB6E51D566B)
    • cmd.exe (PID: 3664 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 4908 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • badman.exe (PID: 5900 cmdline: 'C:\Users\user\AppData\Roaming\badman.exe' MD5: 0FC3FEECC0164C588F7AFAB6E51D566B)
      • InstallUtil.exe (PID: 1936 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              14.2.badman.exe.4c9e3d0.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                15.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.REQUEST FOR OFFER.exe.49486d2.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 14 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeReversingLabs: Detection: 35%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: REQUEST FOR OFFER.exeReversingLabs: Detection: 35%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: REQUEST FOR OFFER.exeJoe Sandbox ML: detected
                      Source: 15.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: REQUEST FOR OFFER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: REQUEST FOR OFFER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-20h]14_2_09AC3EB8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_09AC3EB8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-24h]14_2_09AC41D8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_09AC41D8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h14_2_09AC3724
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h14_2_09AC4750
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h14_2_09AC39D4
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h14_2_09AC4830
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-20h]14_2_09AC3EAC
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_09AC3EAC
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-24h]14_2_09AC41CD
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_09AC41CD
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then xor edx, edx14_2_09AC4104
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then xor edx, edx14_2_09AC4110
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h14_2_09AC660C
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://HDgGGv.com
                      Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: REQUEST FOR OFFER.exe, 00000000.00000003.217353767.0000000009A83000.00000004.00000001.sdmp, badman.exe, 0000000E.00000003.339036712.0000000009D73000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: badman.exe, 0000000E.00000003.414205130.0000000009D7B000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.332840777.0000000009A85000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%vp
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326751684.0000000002F99000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417471164.00000000032A2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: badman.exe, 0000000E.00000002.415764605.0000000001670000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: REQUEST FOR OFFER.exe, o0F/Jk3.csLarge array initialization: .cctor: array initializer size 10710
                      Source: badman.exe.0.dr, o0F/Jk3.csLarge array initialization: .cctor: array initializer size 10710
                      Source: 15.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6199813Du002d6350u002d451Du002dBAD9u002dE7ED453A94A3u007d/u0032B36B790u002d76E1u002d4C05u002d8847u002d37064A0FEE12.csLarge array initialization: .cctor: array initializer size 11932
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F18DC CreateProcessAsUserW,14_2_052F18DC
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_02DDFCA00_2_02DDFCA0
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB2A580_2_04FB2A58
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB0C580_2_04FB0C58
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB0C570_2_04FB0C57
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB29D10_2_04FB29D1
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E32E280_2_06E32E28
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E33F900_2_06E33F90
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E344E10_2_06E344E1
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E3E4500_2_06E3E450
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E3BD480_2_06E3BD48
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E30D580_2_06E30D58
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E312A00_2_06E312A0
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E33A900_2_06E33A90
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E353700_2_06E35370
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0197F26814_2_0197F268
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0197C14014_2_0197C140
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052FA56814_2_052FA568
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F573014_2_052F5730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F3C7014_2_052F3C70
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F7CCA14_2_052F7CCA
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F1F1714_2_052F1F17
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F0E0014_2_052F0E00
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F5E6214_2_052F5E62
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F294814_2_052F2948
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F942014_2_052F9420
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F744014_2_052F7440
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F745014_2_052F7450
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F876014_2_052F8760
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052FB19814_2_052FB198
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F6FC814_2_052F6FC8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F6FD814_2_052F6FD8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07192E2814_2_07192E28
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07190D5814_2_07190D58
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719BC2014_2_0719BC20
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719E45014_2_0719E450
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071944E114_2_071944E1
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719537014_2_07195370
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07193A9014_2_07193A90
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071912A014_2_071912A0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719771814_2_07197718
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07193F3914_2_07193F39
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719772814_2_07197728
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07193F9014_2_07193F90
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719C7D014_2_0719C7D0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07196E5014_2_07196E50
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07196E4214_2_07196E42
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719A68014_2_0719A680
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07192D7814_2_07192D78
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719F59814_2_0719F598
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719B41814_2_0719B418
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071974F014_2_071974F0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071974E014_2_071974E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07197B7814_2_07197B78
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719229814_2_07192298
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719629814_2_07196298
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719628A14_2_0719628A
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071952B914_2_071952B9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071952D514_2_071952D5
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071952F114_2_071952F1
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719799A14_2_0719799A
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071979A014_2_071979A0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719F04014_2_0719F040
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACB98814_2_09ACB988
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACE90014_2_09ACE900
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACDD6814_2_09ACDD68
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACE13214_2_09ACE132
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC708014_2_09AC7080
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC83D814_2_09AC83D8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACB97814_2_09ACB978
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACE8F114_2_09ACE8F1
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC981614_2_09AC9816
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC4D8014_2_09AC4D80
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC4D9014_2_09AC4D90
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACDD5914_2_09ACDD59
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC707014_2_09AC7070
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC004014_2_09AC0040
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC83C914_2_09AC83C9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC533014_2_09AC5330
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC534014_2_09AC5340
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC753314_2_09AC7533
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC754814_2_09AC7548
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC74A914_2_09AC74A9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC74BE14_2_09AC74BE
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC948014_2_09AC9480
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC949014_2_09AC9490
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC740514_2_09AC7405
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC741A14_2_09AC741A
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_005B20B015_2_005B20B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_028746A015_2_028746A0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_028745B015_2_028745B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_0287D31015_2_0287D310
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C2753815_2_05C27538
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C294F815_2_05C294F8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C2692015_2_05C26920
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C26C6815_2_05C26C68
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameesYxxWZqNRQpRkZCeBoPbAssohMUzrRtOep.exe4 vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.331384751.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.332027247.0000000006E40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327921433.0000000003F58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.325457688.0000000000C76000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exeBinary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/5@0/0
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_01
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: REQUEST FOR OFFER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: REQUEST FOR OFFER.exeReversingLabs: Detection: 35%
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-32
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-24
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-administrator-50
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-48
                      Source: badman.exeString found in binary or memory: icons8-add-administrator-50
                      Source: badman.exeString found in binary or memory: icons8-add-48
                      Source: badman.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-24
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-24
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-32[
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-48
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: 6icons8-add-administrator-50
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Users\user\Desktop\REQUEST FOR OFFER.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\REQUEST FOR OFFER.exe 'C:\Users\user\Desktop\REQUEST FOR OFFER.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: REQUEST FOR OFFER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: REQUEST FOR OFFER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA6E9E push ecx; iretd 0_2_00BA6EA4
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4E89 push 52BA5CE0h; ret 0_2_00BA4E8E
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA56E4 push ebp; retf 0_2_00BA56E3
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4008 push FFFFFFCBh; iretd 0_2_00BA4010
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4A0C push es; retf 0_2_00BA4A1D
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA427E push esp; retf 0_2_00BA427F
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA67FF push 40907420h; ret 0_2_00BA6810
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA3F18 push FFFFFFCBh; iretd 0_2_00BA3F20
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA535E push edx; retf 0_2_00BA5367
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4148 push edx; retf 0_2_00BA414F
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA5D4C push FFFFFFFFh; retf 0_2_00BA5D4E
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE56E4 push ebp; retf 14_2_00EE56E3
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4E89 push 52BA5CE0h; ret 14_2_00EE4E8E
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE6E9E push ecx; iretd 14_2_00EE6EA4
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE427E push esp; retf 14_2_00EE427F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4A0C push es; retf 14_2_00EE4A1D
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4008 push FFFFFFCBh; iretd 14_2_00EE4010
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE67FF push 40907420h; ret 14_2_00EE6810
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE5D4C push FFFFFFFFh; retf 14_2_00EE5D4E
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4148 push edx; retf 14_2_00EE414F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE535E push edx; retf 14_2_00EE5367
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE3F18 push FFFFFFCBh; iretd 14_2_00EE3F20
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07197E84 push ecx; iretd 14_2_07197E86
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07191BDA push ecx; ret 14_2_07191BDE
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACECD2 push ebx; ret 14_2_09ACECDB
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC9FC8 push edi; ret 14_2_09AC9FE9
                      Source: REQUEST FOR OFFER.exe, p5M/y9B.csHigh entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'
                      Source: badman.exe.0.dr, p5M/y9B.csHigh entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to dropped file
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile opened: C:\Users\user\Desktop\REQUEST FOR OFFER.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeWindow / User API: threadDelayed 2402Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeWindow / User API: threadDelayed 7343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 618Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 9155Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 9556Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828Thread sleep count: 2402 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828Thread sleep count: 7343 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872Thread sleep count: 618 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872Thread sleep count: 9155 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084Thread sleep count: 263 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084Thread sleep count: 9556 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036Thread sleep count: 39 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware svga
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vboxservice
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-Vmicrosoft
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware usb pointing device
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmusrvc
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware pointing device
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware sata
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmsrvc
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmtools
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware virtual s scsi disk device
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device
                      Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 756008Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Users\user\Desktop\REQUEST FOR OFFER.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Users\user\AppData\Roaming\badman.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C22654 GetUserNameW,15_2_05C22654
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture1Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Obfuscated Files or Information2Security Account ManagerSystem Information Discovery113SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing1NTDSSecurity Software Discovery221Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion14SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion14/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet