Loading ...

Play interactive tourEdit tour

Analysis Report Product List.exe

Overview

General Information

Sample Name:Product List.exe
Analysis ID:356641
MD5:df1a8e7ffa630db4a9fa38abaec4c0d2
SHA1:19077607d6f6951499783faec6f1722cb9b2c077
SHA256:8174806d6bbe5f5c713a2a860c36b22d3efe8c7effeb0284bb23de5a9fe68d26
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Product List.exe (PID: 3488 cmdline: 'C:\Users\user\Desktop\Product List.exe' MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
    • schtasks.exe (PID: 4092 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Product List.exe (PID: 1928 cmdline: C:\Users\user\Desktop\Product List.exe MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
    • Product List.exe (PID: 3152 cmdline: C:\Users\user\Desktop\Product List.exe MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Product List.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Product List.exe.41e7fb0.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Product List.exe.2f56b18.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.Product List.exe.41e7fb0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Product List.exe.2fa483c.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Product List.exe' , ParentImage: C:\Users\user\Desktop\Product List.exe, ParentProcessId: 3488, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', ProcessId: 4092

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Product List.exeVirustotal: Detection: 42%Perma Link
                      Source: Product List.exeReversingLabs: Detection: 34%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Product List.exeJoe Sandbox ML: detected
                      Source: 4.2.Product List.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Product List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Product List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.3:49732 -> 144.217.69.193:587
                      Source: global trafficTCP traffic: 192.168.2.3:49732 -> 144.217.69.193:587
                      Source: unknownDNS traffic detected: queries for: cdn.onenote.net
                      Source: Product List.exe, 00000004.00000002.472992635.0000000003079000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.472808847.0000000003048000.00000004.00000001.sdmpString found in binary or memory: http://0AqX2o5J52Y7fM61Oxy.com
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://at.engineering
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Product List.exe, 00000004.00000002.477419217.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Product List.exe, 00000000.00000003.206077469.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Product List.exe, 00000000.00000003.206416561.0000000005FC9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlr-t
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTF/
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comU
                      Source: Product List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsp
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                      Source: Product List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritoq
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Product List.exe, 00000000.00000003.203545951.0000000005FB6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                      Source: Product List.exe, 00000000.00000003.203211032.0000000005FBE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTFf
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
                      Source: Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/4
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//p
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0mC
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lte
                      Source: Product List.exe, 00000000.00000003.204830525.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oo
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                      Source: Product List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Product List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comec
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com&
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Product List.exe, 00000000.00000003.202945354.0000000005FCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comwa
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://ztjCrd.com
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Product List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.Product List.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b229E1CFDu002d2DFDu002d4D5Bu002dAEE6u002d795BE0355C35u007d/AF02D89Au002dA309u002d4AF8u002d9971u002dE6A4754A7662.csLarge array initialization: .cctor: array initializer size 11949
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_00AF4AD50_2_00AF4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8A6A80_2_02E8A6A8
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8EF3C0_2_02E8EF3C
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8F4180_2_02E8F418
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8D5A00_2_02E8D5A0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8D59B0_2_02E8D59B
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8B9940_2_02E8B994
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_09742C900_2_09742C90
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_097400400_2_09740040
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 3_2_002A4AD53_2_002A4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_008E4AD54_2_008E4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD2D504_2_00DD2D50
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDEA184_2_00DDEA18
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD26184_2_00DD2618
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDCFF04_2_00DDCFF0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD1FE04_2_00DD1FE0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDA7204_2_00DDA720
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDF7F84_2_00DDF7F8
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFACB04_2_00DFACB0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF00404_2_00DF0040
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF2E504_2_00DF2E50
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF46704_2_00DF4670
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFD3854_2_00DFD385
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF68404_2_00DF6840
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF91184_2_00DF9118
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D47A04_2_011D47A0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011DD8204_2_011DD820
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D3CCC4_2_011D3CCC
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D46B04_2_011D46B0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D54904_2_011D5490
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D3CC04_2_011D3CC0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C75C584_2_06C75C58
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7F8704_2_06C7F870
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7A7104_2_06C7A710
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Product List.exe
                      Source: Product List.exe, 00000000.00000000.197720100.0000000000AF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBpIFRNHUGjPNAoJQtYyW.exe4 vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.230847837.0000000009480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.229847265.0000000008F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.229761142.0000000008DD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.231099210.0000000009580000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.231099210.0000000009580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000003.00000000.219271011.00000000002A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000004.00000000.220140658.00000000008E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.469726803.00000000010C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.469821932.0000000001150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.467021746.0000000000D38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBpIFRNHUGjPNAoJQtYyW.exe4 vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Product List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: oObXLwwKgq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 4.2.Product List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.Product List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@3/1
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeMutant created: \Sessions\1\BaseNamedObjects\ubWnYfprkyhFCG
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F53.tmpJump to behavior
                      Source: Product List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Product List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Product List.exeVirustotal: Detection: 42%
                      Source: Product List.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe 'C:\Users\user\Desktop\Product List.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Product List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Product List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_09743C6D push dword ptr [edx+ebp*2-75h]; iretd 0_2_09743C77
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD7A37 push edi; retn 0000h4_2_00DD7A39
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFB8B0 push F800D8CCh; retf 4_2_00DFB90D
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7D5B5 push es; ret 4_2_06C7D5BC
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.44517297113
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.44517297113
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3488, type: MEMORY
                      Source: Yara matchFile source: 0.2.Product List.exe.2f56b18.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.2fa483c.2.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWindow / User API: threadDelayed 6832Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWindow / User API: threadDelayed 3018Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 1740Thread sleep time: -99271s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 5840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 3292Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 4796Thread sleep count: 6832 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 4796Thread sleep count: 3018 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware T<
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware T
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Product List.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF0040 LdrInitializeThunk,4_2_00DF0040
                      Source: C:\Users\user\Desktop\Product List.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeMemory allocated: page read and write | page guardJump to behavior