Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report REQUEST FOR OFFER.exe

Overview

General Information

Sample Name:REQUEST FOR OFFER.exe
Analysis ID:356550
MD5:0fc3feecc0164c588f7afab6e51d566b
SHA1:60115fc27261ecf866c1900d3d5f59520a2ab65a
SHA256:b5a2fbfeb80e2e92039a23615df8b8f63f42d1331528f514b312d4946dc22607
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • REQUEST FOR OFFER.exe (PID: 4156 cmdline: 'C:\Users\user\Desktop\REQUEST FOR OFFER.exe' MD5: 0FC3FEECC0164C588F7AFAB6E51D566B)
    • cmd.exe (PID: 3664 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 4908 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • badman.exe (PID: 5900 cmdline: 'C:\Users\user\AppData\Roaming\badman.exe' MD5: 0FC3FEECC0164C588F7AFAB6E51D566B)
      • InstallUtil.exe (PID: 1936 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              14.2.badman.exe.4c9e3d0.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                15.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.REQUEST FOR OFFER.exe.49486d2.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 14 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeReversingLabs: Detection: 35%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: REQUEST FOR OFFER.exeReversingLabs: Detection: 35%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: REQUEST FOR OFFER.exeJoe Sandbox ML: detected
                      Source: 15.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: REQUEST FOR OFFER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: REQUEST FOR OFFER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-20h]
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-24h]
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-20h]
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then push dword ptr [ebp-24h]
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://HDgGGv.com
                      Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: REQUEST FOR OFFER.exe, 00000000.00000003.217353767.0000000009A83000.00000004.00000001.sdmp, badman.exe, 0000000E.00000003.339036712.0000000009D73000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: badman.exe, 0000000E.00000003.414205130.0000000009D7B000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.332840777.0000000009A85000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%vp
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326751684.0000000002F99000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417471164.00000000032A2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: badman.exe, 0000000E.00000002.415764605.0000000001670000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: REQUEST FOR OFFER.exe, o0F/Jk3.csLarge array initialization: .cctor: array initializer size 10710
                      Source: badman.exe.0.dr, o0F/Jk3.csLarge array initialization: .cctor: array initializer size 10710
                      Source: 15.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6199813Du002d6350u002d451Du002dBAD9u002dE7ED453A94A3u007d/u0032B36B790u002d76E1u002d4C05u002d8847u002d37064A0FEE12.csLarge array initialization: .cctor: array initializer size 11932
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F18DC CreateProcessAsUserW,
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_02DDFCA0
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB2A58
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB0C58
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB0C57
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_04FB29D1
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E32E28
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E33F90
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E344E1
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E3E450
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E3BD48
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E30D58
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E312A0
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E33A90
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_06E35370
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0197F268
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0197C140
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052FA568
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F5730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F3C70
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F7CCA
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F1F17
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F0E00
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F5E62
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F2948
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F9420
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F7440
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F7450
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F8760
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052FB198
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F6FC8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_052F6FD8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07192E28
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07190D58
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719BC20
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719E450
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071944E1
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07195370
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07193A90
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071912A0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07197718
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07193F39
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07197728
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07193F90
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719C7D0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07196E50
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07196E42
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719A680
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07192D78
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719F598
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719B418
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071974F0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071974E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07197B78
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07192298
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07196298
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719628A
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071952B9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071952D5
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071952F1
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719799A
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_071979A0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_0719F040
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACB988
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACE900
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACDD68
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACE132
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC7080
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC83D8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACB978
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACE8F1
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC9816
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC4D80
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC4D90
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACDD59
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC7070
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC0040
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC83C9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC5330
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC5340
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC7533
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC7548
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC74A9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC74BE
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC9480
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC9490
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC7405
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC741A
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_005B20B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_028746A0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_028745B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_0287D310
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C27538
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C294F8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C26920
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C26C68
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameesYxxWZqNRQpRkZCeBoPbAssohMUzrRtOep.exe4 vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.331384751.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.332027247.0000000006E40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327921433.0000000003F58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.325457688.0000000000C76000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exeBinary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe
                      Source: REQUEST FOR OFFER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/5@0/0
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_01
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: REQUEST FOR OFFER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\badman.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: REQUEST FOR OFFER.exeReversingLabs: Detection: 35%
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-32
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-24
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-administrator-50
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-48
                      Source: badman.exeString found in binary or memory: icons8-add-administrator-50
                      Source: badman.exeString found in binary or memory: icons8-add-48
                      Source: badman.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-24
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-24
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-32[
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: icons8-add-48
                      Source: REQUEST FOR OFFER.exeString found in binary or memory: 6icons8-add-administrator-50
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile read: C:\Users\user\Desktop\REQUEST FOR OFFER.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\REQUEST FOR OFFER.exe 'C:\Users\user\Desktop\REQUEST FOR OFFER.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: REQUEST FOR OFFER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: REQUEST FOR OFFER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA6E9E push ecx; iretd
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4E89 push 52BA5CE0h; ret
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA56E4 push ebp; retf
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4008 push FFFFFFCBh; iretd
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4A0C push es; retf
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA427E push esp; retf
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA67FF push 40907420h; ret
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA3F18 push FFFFFFCBh; iretd
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA535E push edx; retf
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA4148 push edx; retf
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeCode function: 0_2_00BA5D4C push FFFFFFFFh; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE56E4 push ebp; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4E89 push 52BA5CE0h; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE6E9E push ecx; iretd
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE427E push esp; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4A0C push es; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4008 push FFFFFFCBh; iretd
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE67FF push 40907420h; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE5D4C push FFFFFFFFh; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE4148 push edx; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE535E push edx; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_00EE3F18 push FFFFFFCBh; iretd
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07197E84 push ecx; iretd
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_07191BDA push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09ACECD2 push ebx; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 14_2_09AC9FC8 push edi; ret
                      Source: REQUEST FOR OFFER.exe, p5M/y9B.csHigh entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'
                      Source: badman.exe.0.dr, p5M/y9B.csHigh entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to dropped file
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile opened: C:\Users\user\Desktop\REQUEST FOR OFFER.exe\:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\badman.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeWindow / User API: threadDelayed 2402
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeWindow / User API: threadDelayed 7343
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 618
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 9155
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 9556
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828Thread sleep count: 2402 > 30
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828Thread sleep count: 7343 > 30
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888Thread sleep count: 34 > 30
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968Thread sleep time: -8301034833169293s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872Thread sleep count: 618 > 30
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872Thread sleep count: 9155 > 30
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036Thread sleep time: -11990383647911201s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084Thread sleep count: 263 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084Thread sleep count: 9556 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036Thread sleep count: 39 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware svga
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vboxservice
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-Vmicrosoft
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware usb pointing device
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmusrvc
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware pointing device
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware sata
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmsrvc
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmtools
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware virtual s scsi disk device
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device
                      Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 756008
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Users\user\Desktop\REQUEST FOR OFFER.exe VolumeInformation
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Users\user\AppData\Roaming\badman.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 15_2_05C22654 GetUserNameW,
                      Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture1Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Obfuscated Files or Information2Security Account ManagerSystem Information Discovery113SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing1NTDSSecurity Software Discovery221Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion14SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion14/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 356550 Sample: REQUEST FOR OFFER.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected AgentTesla 2->37 39 Yara detected AntiVM_3 2->39 41 2 other signatures 2->41 7 REQUEST FOR OFFER.exe 15 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\badman.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->25 dropped 27 C:\Users\user\...\badman.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\...\REQUEST FOR OFFER.exe.log, ASCII 7->29 dropped 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->43 11 badman.exe 14 3 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 45 Multi AV Scanner detection for dropped file 11->45 47 Machine Learning detection for dropped file 11->47 49 Writes to foreign memory regions 11->49 51 3 other signatures 11->51 16 InstallUtil.exe 2 11->16         started        19 conhost.exe 14->19         started        21 reg.exe 1 1 14->21         started        process8 signatures9 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->31 33 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->33

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      REQUEST FOR OFFER.exe35%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      REQUEST FOR OFFER.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\badman.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\badman.exe35%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      15.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://HDgGGv.com0%Avira URL Cloudsafe
                      http://ns.adobe.c/g%%0%Avira URL Cloudsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      http://ns.adobe.c/g%%vp0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSInstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.pki.goog/gts1o1core0badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.pki.goog/GTS1O1core.crl0badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://HDgGGv.comInstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ns.adobe.c/g%%badman.exe, 0000000E.00000003.414205130.0000000009D7B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pki.goog/gsr2/GTS1O1.crt0badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.c/gREQUEST FOR OFFER.exe, 00000000.00000003.217353767.0000000009A83000.00000004.00000001.sdmp, badman.exe, 0000000E.00000003.339036712.0000000009D73000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.pki.goog/gsr2/gsr2.crl0?badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.pki.goog/gsr202badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://pki.goog/repository/0badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.c/g%%vpREQUEST FOR OFFER.exe, 00000000.00000002.332840777.0000000009A85000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameREQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipREQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schema.org/WebPageREQUEST FOR OFFER.exe, 00000000.00000002.326751684.0000000002F99000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417471164.00000000032A2000.00000004.00000001.sdmpfalse
                          		high

                          Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox Version:31.0.0 Emerald
                          Analysis ID:356550
                          Start date:23.02.2021
                          Start time:09:58:47
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 10m 22s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:REQUEST FOR OFFER.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:20
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@10/5@0/0
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 2.5% (good quality ratio 1.2%)
                          • Quality average: 23.1%
                          • Quality standard deviation: 30.1%
                          HCA Information:
                          • Successful, ratio: 84%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
                          • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 13.64.90.137, 142.250.185.164, 204.79.197.200, 13.107.21.200, 131.253.33.200, 13.107.22.200, 52.147.198.201, 40.88.32.150, 184.30.20.56, 2.20.142.210, 2.20.142.209
                          • Excluded domains from analysis (whitelisted): www.bing.com, au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, www.google.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356550/sample/REQUEST FOR OFFER.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:00:45API Interceptor200x Sleep call for process: REQUEST FOR OFFER.exe modified
                          10:00:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run neil C:\Users\user\AppData\Roaming\badman.exe
                          10:00:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run neil C:\Users\user\AppData\Roaming\badman.exe
                          10:01:40API Interceptor216x Sleep call for process: badman.exe modified
                          10:02:33API Interceptor70x Sleep call for process: InstallUtil.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Users\user\AppData\Local\Temp\InstallUtil.exev2.exeGet hashmaliciousBrowse
                            MPO-003234.exeGet hashmaliciousBrowse
                              Payment copy.exeGet hashmaliciousBrowse
                                New Order.exeGet hashmaliciousBrowse
                                  YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                                    RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                      SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                                        SecuriteInfo.com.Trojan.Packed2.42841.18110.exeGet hashmaliciousBrowse
                                          DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                            index_2021-02-18-20_41.exeGet hashmaliciousBrowse
                                              XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                                IMG_144907.exeGet hashmaliciousBrowse
                                                  VIIIIIIIIIIIIIC.exeGet hashmaliciousBrowse
                                                    lQN1zlLSGa.exeGet hashmaliciousBrowse
                                                      Sorted Properties.exeGet hashmaliciousBrowse
                                                        DB_DHL_AWB_00117390021_AD03990399003920032.exeGet hashmaliciousBrowse
                                                          New Order 83329 PDF.exeGet hashmaliciousBrowse
                                                            NEW TENDER_ORDER 900930390097733000999_10_02_2021.exeGet hashmaliciousBrowse
                                                              Proforma Invoice February.exeGet hashmaliciousBrowse
                                                                jmsg.exeGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REQUEST FOR OFFER.exe.log
                                                                  Process:C:\Users\user\Desktop\REQUEST FOR OFFER.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):1214
                                                                  Entropy (8bit):5.358666369753595
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoM:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoH
                                                                  MD5:1F3BB210B09FE31192C6A822966919E9
                                                                  SHA1:A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F
                                                                  SHA-256:C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
                                                                  SHA-512:26897678275FEFDFD96FCB7F7FAFFD5FB0BC0FEB35C89BEB4BA15D074155A06236E8681A2CA9C9DCFDDF2462644CD3603C3592AB310BA84E3D93C8BF2CE28DD5
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\badman.exe.log
                                                                  Process:C:\Users\user\AppData\Roaming\badman.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1214
                                                                  Entropy (8bit):5.358666369753595
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoM:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoH
                                                                  MD5:1F3BB210B09FE31192C6A822966919E9
                                                                  SHA1:A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F
                                                                  SHA-256:C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
                                                                  SHA-512:26897678275FEFDFD96FCB7F7FAFFD5FB0BC0FEB35C89BEB4BA15D074155A06236E8681A2CA9C9DCFDDF2462644CD3603C3592AB310BA84E3D93C8BF2CE28DD5
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  Process:C:\Users\user\Desktop\REQUEST FOR OFFER.exe
                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41064
                                                                  Entropy (8bit):6.164873449128079
                                                                  Encrypted:false
                                                                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: v2.exe, Detection: malicious, Browse
                                                                  • Filename: MPO-003234.exe, Detection: malicious, Browse
                                                                  • Filename: Payment copy.exe, Detection: malicious, Browse
                                                                  • Filename: New Order.exe, Detection: malicious, Browse
                                                                  • Filename: YKRAB010B_KHE_Preminary Packing List.xlsx.exe, Detection: malicious, Browse
                                                                  • Filename: RTM DIAS - CTM.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.Artemis249E62CF9BAE.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.Trojan.Packed2.42841.18110.exe, Detection: malicious, Browse
                                                                  • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                  • Filename: index_2021-02-18-20_41.exe, Detection: malicious, Browse
                                                                  • Filename: XXXXXXXXXXXXXX.exe, Detection: malicious, Browse
                                                                  • Filename: IMG_144907.exe, Detection: malicious, Browse
                                                                  • Filename: VIIIIIIIIIIIIIC.exe, Detection: malicious, Browse
                                                                  • Filename: lQN1zlLSGa.exe, Detection: malicious, Browse
                                                                  • Filename: Sorted Properties.exe, Detection: malicious, Browse
                                                                  • Filename: DB_DHL_AWB_00117390021_AD03990399003920032.exe, Detection: malicious, Browse
                                                                  • Filename: New Order 83329 PDF.exe, Detection: malicious, Browse
                                                                  • Filename: NEW TENDER_ORDER 900930390097733000999_10_02_2021.exe, Detection: malicious, Browse
                                                                  • Filename: Proforma Invoice February.exe, Detection: malicious, Browse
                                                                  • Filename: jmsg.exe, Detection: malicious, Browse
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                  C:\Users\user\AppData\Roaming\badman.exe
                                                                  Process:C:\Users\user\Desktop\REQUEST FOR OFFER.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):867840
                                                                  Entropy (8bit):6.667025914454025
                                                                  Encrypted:false
                                                                  SSDEEP:12288:mCiV2B5AJQ3Krcrlhiz6021uysBFcbK5pEfwmjgc1otsf8o1lwPG:mCM2BfKrcBgp2IyySO5cButs
                                                                  MD5:0FC3FEECC0164C588F7AFAB6E51D566B
                                                                  SHA1:60115FC27261ECF866C1900D3D5F59520A2AB65A
                                                                  SHA-256:B5A2FBFEB80E2E92039A23615DF8B8F63F42D1331528F514B312D4946DC22607
                                                                  SHA-512:1E01B97A415C25408FFA99C1811C9861B0E3857B55F7EF951C28EDF64F79B6C440CF7BCC3A0240C7DB4400A980E9ED85D2988E036B99AEA3D9027037B7EF61D5
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 35%
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..8.................2...........P... ...`....@.. ....................................`..................................O..K....`............................................................................... ............... ..H............text...40... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B.................P......H........x..8............................................................3.@.9@yx..B..=H/=......y....W..y=....l.C....M;...I.7..E.~:...&.........O2......-.D=.V.i..-.*P.....L..?.....6.4.=d,.Noa8...^:...g}s.....FA.eG..%....5x.l...7.w...s.{...dz.%..........f..(.#.....]s....O~..s..`..-.[j`..l,\..OT...m.v..R...[..}.i.[zA.L. .ek.......\.v .#F...P+.&..CD./.Vx1.....C.8..O...[.Y.O[c.D..u52..f..u...l..Q..P.Z....}&.y*&y..p.Mw.#*..5h...-.\C=s.....{..d.0.6..l.v.......].j.
                                                                  C:\Users\user\AppData\Roaming\badman.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\REQUEST FOR OFFER.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: [ZoneTransfer]....ZoneId=0

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):6.667025914454025
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:REQUEST FOR OFFER.exe
                                                                  File size:867840
                                                                  MD5:0fc3feecc0164c588f7afab6e51d566b
                                                                  SHA1:60115fc27261ecf866c1900d3d5f59520a2ab65a
                                                                  SHA256:b5a2fbfeb80e2e92039a23615df8b8f63f42d1331528f514b312d4946dc22607
                                                                  SHA512:1e01b97a415c25408ffa99c1811c9861b0e3857b55f7ef951c28edf64f79b6c440cf7bcc3a0240c7db4400a980e9ed85d2988e036b99aea3d9027037b7ef61d5
                                                                  SSDEEP:12288:mCiV2B5AJQ3Krcrlhiz6021uysBFcbK5pEfwmjgc1otsf8o1lwPG:mCM2BfKrcBgp2IyySO5cButs
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..8.................2...........P... ...`....@.. ....................................`................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4d502e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                  Time Stamp:0x3812DF72 [Sun Oct 24 10:29:06 1999 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd4fe00x4b.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x61e.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xd30340xd3200False0.641000823342data6.67589744501IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xd60000x61e0x800False0.3505859375data3.65860521764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xd80000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0xd60a00x394data
                                                                  RT_MANIFEST0xd64340x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2011 E5?5I5:6IG=BH49I2J<;6C
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameFresh.exe
                                                                  FileVersion7.11.14.18
                                                                  CompanyNameE5?5I5:6IG=BH49I2J<;6C
                                                                  CommentsAF95E:7>3632AD@G@9
                                                                  ProductName5EGCD4ACFEGCGA7;?A2
                                                                  ProductVersion7.11.14.18
                                                                  FileDescription5EGCD4ACFEGCGA7;?A2
                                                                  OriginalFilenameFresh.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Feb 23, 2021 10:00:36.081238985 CET5190453192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:36.132683039 CET53519048.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:37.414635897 CET6132853192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:37.463375092 CET53613288.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:38.521338940 CET5413053192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:38.570198059 CET53541308.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:39.661516905 CET5696153192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:39.713184118 CET53569618.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:40.456821918 CET5935353192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:40.522085905 CET53593538.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:40.810229063 CET5223853192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:40.859318972 CET53522388.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:40.910491943 CET4987353192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:40.982876062 CET53498738.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:40.994813919 CET5319653192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:41.043833971 CET53531968.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:42.041337967 CET5677753192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:42.090008020 CET53567778.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:43.231712103 CET5864353192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:43.280288935 CET53586438.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:44.295764923 CET6098553192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:44.344293118 CET53609858.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:45.279473066 CET5020053192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:45.328105927 CET53502008.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:46.464732885 CET5128153192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:46.516562939 CET53512818.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:47.770612955 CET4919953192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:47.833458900 CET53491998.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:49.370409966 CET5062053192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:49.419028997 CET53506208.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:50.545496941 CET6493853192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:50.601221085 CET53649388.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:51.684288025 CET6015253192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:51.736004114 CET53601528.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:52.829741955 CET5754453192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:52.888571978 CET53575448.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:55.283130884 CET5598453192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:55.334814072 CET53559848.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:58.214745998 CET6418553192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:58.263741016 CET53641858.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:00:59.293762922 CET6511053192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:00:59.353573084 CET53651108.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:01:02.064384937 CET5836153192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:01:02.112971067 CET53583618.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:01:06.269579887 CET6349253192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:01:06.328562975 CET53634928.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:01:27.109426975 CET6083153192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:01:27.167785883 CET53608318.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:01:36.290935993 CET6010053192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:01:36.339538097 CET53601008.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:01:36.870996952 CET5319553192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:01:36.919378042 CET53531958.8.8.8192.168.2.3
                                                                  Feb 23, 2021 10:01:36.936537981 CET5014153192.168.2.38.8.8.8
                                                                  Feb 23, 2021 10:01:36.985106945 CET53501418.8.8.8192.168.2.3

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: REQUEST FOR OFFER.exe PID: 4156 Parent PID: 5524

                                                                  General

                                                                  Start time:10:00:38
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\REQUEST FOR OFFER.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\REQUEST FOR OFFER.exe'
                                                                  Imagebase:0xba0000
                                                                  File size:867840 bytes
                                                                  MD5 hash:0FC3FEECC0164C588F7AFAB6E51D566B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Analysis Process: cmd.exe PID: 3664 Parent PID: 4156

                                                                  General

                                                                  Start time:10:00:43
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                                                                  Imagebase:0xbd0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 4900 Parent PID: 3664

                                                                  General

                                                                  Start time:10:00:44
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: reg.exe PID: 4908 Parent PID: 3664

                                                                  General

                                                                  Start time:10:00:44
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                                                                  Imagebase:0xca0000
                                                                  File size:59392 bytes
                                                                  MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: badman.exe PID: 5900 Parent PID: 4156

                                                                  General

                                                                  Start time:10:01:33
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\AppData\Roaming\badman.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\AppData\Roaming\badman.exe'
                                                                  Imagebase:0xee0000
                                                                  File size:867840 bytes
                                                                  MD5 hash:0FC3FEECC0164C588F7AFAB6E51D566B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 35%, ReversingLabs
                                                                  Reputation:low

                                                                  Analysis Process: InstallUtil.exe PID: 1936 Parent PID: 5900

                                                                  General

                                                                  Start time:10:02:10
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                  Imagebase:0x5b0000
                                                                  File size:41064 bytes
                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 0%, Metadefender, Browse
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:moderate

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >