Loading ...

Play interactive tourEdit tour

Analysis Report VAT INVOICE.exe

Overview

General Information

Sample Name:VAT INVOICE.exe
Analysis ID:383977
MD5:ed9f7f4141cd85650393d16b2bad6de4
SHA1:fcdddbcfb7089035853a0b109304612658f9d789
SHA256:adde82ed8c5814b91f07af5fe44f30aced3455cc52d6490b19aa822bde1b2e6b
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • VAT INVOICE.exe (PID: 6448 cmdline: 'C:\Users\user\Desktop\VAT INVOICE.exe' MD5: ED9F7F4141CD85650393D16B2BAD6DE4)
    • VAT INVOICE.exe (PID: 6632 cmdline: C:\Users\user\Desktop\VAT INVOICE.exe MD5: ED9F7F4141CD85650393D16B2BAD6DE4)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "oc2021@lokalboyz.comlkEb6ovnsmtp.lokalboyz.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.351717362.0000000009A31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.590285183.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.594381302.0000000002E61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.594381302.0000000002E61000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.VAT INVOICE.exe.9ad35e0.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.VAT INVOICE.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.VAT INVOICE.exe.9ad35e0.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: VAT INVOICE.exeAvira: detected
                  Found malware configurationShow sources
                  Source: 4.2.VAT INVOICE.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "oc2021@lokalboyz.comlkEb6ovnsmtp.lokalboyz.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: VAT INVOICE.exeReversingLabs: Detection: 35%
                  Machine Learning detection for sampleShow sources
                  Source: VAT INVOICE.exeJoe Sandbox ML: detected
                  Source: 4.2.VAT INVOICE.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: VAT INVOICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: VAT INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: mscorrc.pdb source: VAT INVOICE.exe, 00000001.00000002.351044330.0000000007BD0000.00000002.00000001.sdmp, VAT INVOICE.exe, 00000004.00000002.598240392.0000000006160000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_00D29870
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_00D297A8
                  Source: global trafficTCP traffic: 192.168.2.6:49741 -> 208.91.199.225:587
                  Source: global trafficTCP traffic: 192.168.2.6:49745 -> 208.91.199.224:587
                  Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                  Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                  Source: global trafficTCP traffic: 192.168.2.6:49741 -> 208.91.199.225:587
                  Source: global trafficTCP traffic: 192.168.2.6:49745 -> 208.91.199.224:587
                  Source: unknownDNS traffic detected: queries for: smtp.lokalboyz.com
                  Source: VAT INVOICE.exe, 00000004.00000002.594381302.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: VAT INVOICE.exe, 00000004.00000002.594381302.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://AaaJ72US7p3dsZNMOkJh.com
                  Source: VAT INVOICE.exe, 00000004.00000002.594381302.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://Buyaon.com
                  Source: VAT INVOICE.exe, 00000004.00000002.594381302.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: VAT INVOICE.exe, 00000001.00000003.328866674.0000000004D6D000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comu
                  Source: VAT INVOICE.exeString found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
                  Source: VAT INVOICE.exeString found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: VAT INVOICE.exe, 00000001.00000003.338452984.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmp, VAT INVOICE.exe, 00000001.00000003.338452984.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: VAT INVOICE.exe, 00000001.00000003.336272385.0000000004D4F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: VAT INVOICE.exe, 00000001.00000003.337737854.0000000004D42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html-e
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: VAT INVOICE.exe, 00000001.00000003.338452984.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: VAT INVOICE.exe, 00000001.00000003.338452984.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals0
                  Source: VAT INVOICE.exe, 00000001.00000003.338452984.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsJ
                  Source: VAT INVOICE.exe, 00000001.00000003.338452984.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalso
                  Source: VAT INVOICE.exe, 00000001.00000003.345400773.0000000004D30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiono
                  Source: VAT INVOICE.exe, 00000001.00000003.345400773.0000000004D30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                  Source: VAT INVOICE.exe, 00000001.00000003.345400773.0000000004D30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comu
                  Source: VAT INVOICE.exe, 00000001.00000003.328790456.0000000004D6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: VAT INVOICE.exe, 00000001.00000003.328656624.0000000004D6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                  Source: VAT INVOICE.exe, 00000001.00000003.331390370.0000000004D33000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: VAT INVOICE.exe, 00000001.00000003.332299063.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: VAT INVOICE.exe, 00000001.00000003.331390370.0000000004D33000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8?
                  Source: VAT INVOICE.exe, 00000001.00000003.331390370.0000000004D33000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
                  Source: VAT INVOICE.exe, 00000001.00000003.331557275.0000000004D41000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnaad
                  Source: VAT INVOICE.exe, 00000001.00000003.331390370.0000000004D33000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh?
                  Source: VAT INVOICE.exe, 00000001.00000003.331557275.0000000004D41000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
                  Source: VAT INVOICE.exe, 00000001.00000003.331390370.0000000004D33000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s-
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: VAT INVOICE.exe, 00000001.00000003.333869649.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: VAT INVOICE.exe, 00000001.00000003.333869649.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
                  Source: VAT INVOICE.exe, 00000001.00000003.334111800.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
                  Source: VAT INVOICE.exe, 00000001.00000003.333869649.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                  Source: VAT INVOICE.exe, 00000001.00000003.333623422.0000000004D35000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fontn
                  Source: VAT INVOICE.exe, 00000001.00000003.333869649.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: VAT INVOICE.exe, 00000001.00000003.334111800.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0
                  Source: VAT INVOICE.exe, 00000001.00000003.334111800.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/g
                  Source: VAT INVOICE.exe, 00000001.00000003.333869649.0000000004D36000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                  Source: VAT INVOICE.exe, 00000001.00000003.328401081.0000000000D7D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: VAT INVOICE.exe, 00000001.00000003.328401081.0000000000D7D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comca
                  Source: VAT INVOICE.exe, 00000001.00000003.328401081.0000000000D7D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd?
                  Source: VAT INVOICE.exe, 00000001.00000003.328401081.0000000000D7D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comno4
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: VAT INVOICE.exe, 00000001.00000003.333349655.0000000004D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: VAT INVOICE.exe, 00000001.00000003.338615231.0000000004D4F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: VAT INVOICE.exe, 00000001.00000003.335498902.0000000004D4F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.ded
                  Source: VAT INVOICE.exe, 00000001.00000003.338615231.0000000004D4F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.demD
                  Source: VAT INVOICE.exe, 00000001.00000002.348350305.0000000004EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: VAT INVOICE.exe, 00000001.00000002.351717362.0000000009A31000.00000004.00000001.sdmp, VAT INVOICE.exe, 00000004.00000002.590285183.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: VAT INVOICE.exe, 00000004.00000002.594381302.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Installs a global keyboard hookShow sources
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\VAT INVOICE.exeJump to behavior

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: VAT INVOICE.exe
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_04BA0F1E NtQueryInformationProcess,1_2_04BA0F1E
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_04BA108E NtQuerySystemInformation,1_2_04BA108E
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_04BA0EFC NtQueryInformationProcess,1_2_04BA0EFC
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_04BA1053 NtQuerySystemInformation,1_2_04BA1053
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0026A9E21_2_0026A9E2
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0026DCDF1_2_0026DCDF
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00BD6B5C1_2_00BD6B5C
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D200701_2_00D20070
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D27DDB1_2_00D27DDB
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D281C11_2_00D281C1
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D261F01_2_00D261F0
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D231101_2_00D23110
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D24A401_2_00D24A40
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D266781_2_00D26678
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D238E41_2_00D238E4
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D200121_2_00D20012
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D231001_2_00D23100
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D269301_2_00D26930
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D269201_2_00D26920
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D20A681_2_00D20A68
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D24A301_2_00D24A30
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D257C81_2_00D257C8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D233501_2_00D23350
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D233601_2_00D23360
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D20B081_2_00D20B08
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_02670A701_2_02670A70
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267BECB1_2_0267BECB
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267D6881_2_0267D688
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267B7381_2_0267B738
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267A7881_2_0267A788
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267AC531_2_0267AC53
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267C8301_2_0267C830
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_02679D701_2_02679D70
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267A1081_2_0267A108
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267A9901_2_0267A990
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267D6621_2_0267D662
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267F6601_2_0267F660
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267F6511_2_0267F651
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_02670A5F1_2_02670A5F
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267E2301_2_0267E230
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267B6A11_2_0267B6A1
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267EEA81_2_0267EEA8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267EEB81_2_0267EEB8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267A7781_2_0267A778
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267C3301_2_0267C330
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267F4601_2_0267F460
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267F4511_2_0267F451
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267E4201_2_0267E420
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267E4101_2_0267E410
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267A0F91_2_0267A0F9
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267F8C81_2_0267F8C8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267F8B81_2_0267F8B8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0026AABF1_2_0026AABF
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0026AA4C1_2_0026AA4C
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0076A9E24_2_0076A9E2
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0076DCDF4_2_0076DCDF
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_02ABF4F04_2_02ABF4F0
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_02ABCE204_2_02ABCE20
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_02AB79204_2_02AB7920
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_059D16D84_2_059D16D8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_059D1C584_2_059D1C58
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_059D21DF4_2_059D21DF
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_059D21E04_2_059D21E0
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_070693284_2_07069328
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0706D7404_2_0706D740
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_070600704_2_07060070
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_07065AB84_2_07065AB8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0706BAF84_2_0706BAF8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_070669E84_2_070669E8
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0706006F4_2_0706006F
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0076AA4C4_2_0076AA4C
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0076AABF4_2_0076AABF
                  Source: VAT INVOICE.exeBinary or memory string: OriginalFilename vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000001.00000002.346787019.0000000002A31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000001.00000002.345705269.0000000000262000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBinaryObject.exe4 vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000001.00000002.347011827.0000000002ABC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBhBklfZbgTwtYptXoglSw.exe4 vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000001.00000002.347578088.0000000003A31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000001.00000002.351044330.0000000007BD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VAT INVOICE.exe
                  Source: VAT INVOICE.exeBinary or memory string: OriginalFilename vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000004.00000002.590398073.0000000000762000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBinaryObject.exe4 vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000004.00000002.597171039.00000000051D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000004.00000002.590285183.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBhBklfZbgTwtYptXoglSw.exe4 vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000004.00000002.597795285.00000000059C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs VAT INVOICE.exe
                  Source: VAT INVOICE.exe, 00000004.00000002.598240392.0000000006160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VAT INVOICE.exe
                  Source: VAT INVOICE.exeBinary or memory string: OriginalFilenameBinaryObject.exe4 vs VAT INVOICE.exe
                  Source: VAT INVOICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: VAT INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/2
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_04BA0C7A AdjustTokenPrivileges,1_2_04BA0C7A
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_04BA0C43 AdjustTokenPrivileges,1_2_04BA0C43
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\VAT INVOICE.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: VAT INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: VAT INVOICE.exeReversingLabs: Detection: 35%
                  Source: unknownProcess created: C:\Users\user\Desktop\VAT INVOICE.exe 'C:\Users\user\Desktop\VAT INVOICE.exe'
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess created: C:\Users\user\Desktop\VAT INVOICE.exe C:\Users\user\Desktop\VAT INVOICE.exe
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess created: C:\Users\user\Desktop\VAT INVOICE.exe C:\Users\user\Desktop\VAT INVOICE.exeJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: VAT INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: VAT INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: mscorrc.pdb source: VAT INVOICE.exe, 00000001.00000002.351044330.0000000007BD0000.00000002.00000001.sdmp, VAT INVOICE.exe, 00000004.00000002.598240392.0000000006160000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0026DC46 push 00000000h; iretd 1_2_0026DC90
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0026D657 push es; retn 0001h1_2_0026D6B5
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00C30CEC push cs; ret 1_2_00C30D02
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00C30C71 push cs; ret 1_2_00C30C72
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00C30C75 push cs; ret 1_2_00C30C76
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_00D21879 push dword ptr [ebp+4Fh]; retf 1_2_00D21887
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 1_2_0267CD3E push dword ptr [esi]; iretd 1_2_0267CD47
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0076D657 push es; retn 0001h4_2_0076D6B5
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0076DC46 push 00000000h; iretd 4_2_0076DC90
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_058940F0 push cs; retf 4_2_05894107
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_05894008 push cs; retf 4_2_0589401F
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_0589407C push cs; retf 4_2_05894093
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeCode function: 4_2_07069DA0 push ds; iretd 4_2_07069E3E
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.61345211239
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VAT INVOICE.exe PID: 6448, type: MEMORY
                  Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeFunction Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,systemQueried,threadDelayed,threadDelayed
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWindow / User API: threadDelayed 444Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exe TID: 6452Thread sleep time: -101544s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exe TID: 6468Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exe TID: 6828Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exe TID: 6828Thread sleep time: -13320000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exe TID: 6828Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exe TID: 6828Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 101544Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeThread delayed: delay time: 30000Jump to behavior
                  Source: VAT INVOICE.exe, 00000004.00000002.597171039.00000000051D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: VAT INVOICE.exe, 00000004.00000002.597171039.00000000051D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: VAT INVOICE.exe, 00000004.00000002.597171039.00000000051D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: VAT INVOICE.exe, 00000001.00000002.346844036.0000000002A69000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: VAT INVOICE.exe, 00000004.00000002.598670487.0000000006DE0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
                  Source: VAT INVOICE.exe, 00000004.00000002.597171039.00000000051D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\VAT INVOICE.exeProcess information queried: ProcessInformationJump to behavior