Loading ...

Play interactive tourEdit tour

Analysis Report #1002021.exe

Overview

General Information

Sample Name:#1002021.exe
Analysis ID:383981
MD5:6208b6541936333f498204d1ec7234db
SHA1:62a31f0f710ce7af593ff6ce28d22b8fe1ca8097
SHA256:c1f2ef3f7a994adba520b81e95a6c792a263d574247d66b7d1e3edce99a4910d
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • #1002021.exe (PID: 4612 cmdline: 'C:\Users\user\Desktop\#1002021.exe' MD5: 6208B6541936333F498204D1EC7234DB)
    • #1002021.exe (PID: 2672 cmdline: {path} MD5: 6208B6541936333F498204D1EC7234DB)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ekwe@yillyenterprise.com^1.kk2[?w-Yzmail.yillyenterprise.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: #1002021.exe PID: 4612JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: #1002021.exe PID: 4612JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.#1002021.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.#1002021.exe.43d9ba0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.#1002021.exe.43d9ba0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 2.2.#1002021.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ekwe@yillyenterprise.com^1.kk2[?w-Yzmail.yillyenterprise.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: #1002021.exeReversingLabs: Detection: 35%
                  Source: 2.2.#1002021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: #1002021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: #1002021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49705 -> 103.6.198.237:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49706 -> 103.6.198.237:587
                  Source: global trafficTCP traffic: 192.168.2.7:49705 -> 103.6.198.237:587
                  Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                  Source: global trafficTCP traffic: 192.168.2.7:49705 -> 103.6.198.237:587
                  Source: unknownDNS traffic detected: queries for: mail.yillyenterprise.com
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: #1002021.exe, 00000002.00000002.509134848.0000000002DA9000.00000004.00000001.sdmpString found in binary or memory: http://5TEa8DtAtM9Dv.org
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://BtAllR.com
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: #1002021.exe, 00000000.00000003.233272249.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: #1002021.exe, 00000000.00000003.233010054.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: #1002021.exe, 00000000.00000003.232991542.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(s
                  Source: #1002021.exe, 00000000.00000003.232954091.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com)x
                  Source: #1002021.exe, 00000002.00000002.509235147.0000000002DF0000.00000004.00000001.sdmpString found in binary or memory: http://mail.yillyenterprise.com
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: #1002021.exe, 00000000.00000003.238160871.0000000006132000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.237834875.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comB
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comEac
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadiIo
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comct
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexcyx
                  Source: #1002021.exe, 00000000.00000003.236825430.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comig
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                  Source: #1002021.exe, 00000000.00000003.236527692.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uPo
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy
                  Source: #1002021.exe, 00000000.00000003.236258079.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                  Source: #1002021.exe, 00000000.00000003.236345460.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comona
                  Source: #1002021.exe, 00000000.00000003.236050979.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroagx
                  Source: #1002021.exe, 00000000.00000003.236136279.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms
                  Source: #1002021.exe, 00000000.00000003.236993027.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: #1002021.exe, 00000000.00000003.247066207.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: #1002021.exe, 00000000.00000003.240149325.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: #1002021.exe, 00000000.00000003.241881177.000000000614E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP
                  Source: #1002021.exe, 00000000.00000003.241434699.000000000614E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
                  Source: #1002021.exe, 00000000.00000003.241066365.000000000614E000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.241155918.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: #1002021.exe, 00000000.00000003.241516438.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                  Source: #1002021.exe, 00000000.00000003.241760287.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                  Source: #1002021.exe, 00000000.00000003.240592424.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersh
                  Source: #1002021.exe, 00000000.00000002.259657704.00000000018D7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: #1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.234746931.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: #1002021.exe, 00000000.00000003.235151202.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: #1002021.exe, 00000000.00000003.234887417.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/:oS
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: #1002021.exe, 00000000.00000003.234673870.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhk
                  Source: #1002021.exe, 00000000.00000003.234673870.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
                  Source: #1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnnie
                  Source: #1002021.exe, 00000000.00000003.234746931.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnosoxk
                  Source: #1002021.exe, 00000000.00000003.235268592.0000000006132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnrh
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: #1002021.exe, 00000000.00000003.244015705.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.243832328.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: #1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krkrF
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: #1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                  Source: #1002021.exe, 00000000.00000003.244015705.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype./
                  Source: #1002021.exe, 00000000.00000003.231945776.0000000006112000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: #1002021.exe, 00000000.00000003.231945776.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                  Source: #1002021.exe, 00000000.00000003.237834875.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: #1002021.exe, 00000000.00000003.234231804.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: #1002021.exe, 00000000.00000003.234231804.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krF
                  Source: #1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krm
                  Source: #1002021.exe, 00000000.00000003.234356458.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krtp
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: #1002021.exe, 00000000.00000003.236993027.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                  Source: #1002021.exe, 00000000.00000003.235341381.00000000018DC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comz
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: #1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.242060423.000000000612B000.00000004.00000001.sdmp, #1002021.exe, 00000000.00000003.241903401.0000000006137000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: #1002021.exe, 00000000.00000002.268152409.0000000006200000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: #1002021.exe, 00000000.00000003.241903401.0000000006137000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFyYl
                  Source: #1002021.exe, 00000000.00000003.239769294.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.defl
                  Source: #1002021.exe, 00000000.00000003.239667019.000000000612B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.det
                  Source: #1002021.exe, 00000000.00000003.235727969.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn(ii
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnsofD
                  Source: #1002021.exe, 00000000.00000003.235656212.000000000612F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnw
                  Source: #1002021.exe, 00000002.00000002.509235147.0000000002DF0000.00000004.00000001.sdmpString found in binary or memory: http://yillyenterprise.com
                  Source: #1002021.exeString found in binary or memory: https://github.com/michel-pi/EasyBot.Net
                  Source: #1002021.exe, 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmp, #1002021.exe, 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: #1002021.exe, 00000002.00000002.507026512.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: #1002021.exe, 00000000.00000002.259326859.00000000014FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 2.2.#1002021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b64D54FA0u002dDCE6u002d4D17u002d90E5u002d01D5DCD649E7u007d/E665D213u002dE6B6u002d4438u002d9BD5u002d2DBC4037211B.csLarge array initialization: .cctor: array initializer size 11944
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_00D792F30_2_00D792F3
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018550300_2_01855030
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018500400_2_01850040
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018552E00_2_018552E0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01851F480_2_01851F48
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018528D90_2_018528D9
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018528E80_2_018528E8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018500120_2_01850012
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018550200_2_01855020
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018513620_2_01851362
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01856B6A0_2_01856B6A
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01853AA10_2_01853AA1
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01853AB00_2_01853AB0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01856AB80_2_01856AB8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01856AC80_2_01856AC8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018552D10_2_018552D1
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018515DD0_2_018515DD
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01854D000_2_01854D00
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01854D100_2_01854D10
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018555390_2_01855539
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018555520_2_01855552
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018555720_2_01855572
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018524100_2_01852410
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01850FA70_2_01850FA7
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01850FD80_2_01850FD8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01851F390_2_01851F39
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_018516100_2_01851610
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A66880_2_056A6688
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A01280_2_056A0128
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A66680_2_056A6668
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056A011A0_2_056A011A
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_007992F32_2_007992F3
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_00FC46A02_2_00FC46A0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_00FC46902_2_00FC4690
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_00FC46722_2_00FC4672
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F945D82_2_05F945D8
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F97E702_2_05F97E70
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F9007A2_2_05F9007A
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F9A8202_2_05F9A820
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F9E8182_2_05F9E818
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F953C02_2_05F953C0
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F952C12_2_05F952C1
                  Source: #1002021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: #1002021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: #1002021.exeBinary or memory string: OriginalFilename vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.271508945.0000000007D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.266357883.0000000004729000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.260493550.0000000004229000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs #1002021.exe
                  Source: #1002021.exe, 00000000.00000002.260198653.0000000003221000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs #1002021.exe
                  Source: #1002021.exeBinary or memory string: OriginalFilename vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.502728356.0000000000E18000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.497062143.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.505988471.00000000011A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.505956956.0000000001190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.505887561.0000000001120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs #1002021.exe
                  Source: #1002021.exe, 00000002.00000002.499451393.00000000009E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs #1002021.exe
                  Source: #1002021.exeBinary or memory string: OriginalFilename vs #1002021.exe
                  Source: #1002021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: #1002021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2.2.#1002021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.#1002021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: #1002021.exe, 00000000.00000003.243832328.000000000612B000.00000004.00000001.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                  Source: C:\Users\user\Desktop\#1002021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#1002021.exe.logJump to behavior
                  Source: #1002021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\#1002021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: #1002021.exeReversingLabs: Detection: 35%
                  Source: unknownProcess created: C:\Users\user\Desktop\#1002021.exe 'C:\Users\user\Desktop\#1002021.exe'
                  Source: C:\Users\user\Desktop\#1002021.exeProcess created: C:\Users\user\Desktop\#1002021.exe {path}
                  Source: C:\Users\user\Desktop\#1002021.exeProcess created: C:\Users\user\Desktop\#1002021.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: #1002021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: #1002021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Data Obfuscation:

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)Show sources
                  Source: #1002021.exe, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                  Source: 0.2.#1002021.exe.d70000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                  Source: 2.2.#1002021.exe.790000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01855B8B push edx; retf 0_2_01855B8E
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_0185A576 push dword ptr [edx+ebp*2-75h]; iretd 0_2_0185A57F
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_01858570 push 0000005Dh; ret 0_2_018585A1
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 0_2_056ACF7B push esp; retf 0_2_056ACF81
                  Source: C:\Users\user\Desktop\#1002021.exeCode function: 2_2_05F934EC push eax; retf 2_2_05F934ED
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.89650748238
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: #1002021.exe PID: 4612, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWindow / User API: threadDelayed 3344Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWindow / User API: threadDelayed 6433Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 4456Thread sleep time: -31500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 2116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5108Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5052Thread sleep count: 3344 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5052Thread sleep count: 6433 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exe TID: 5108Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 31500Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: #1002021.exe, 00000002.00000002.505109246.0000000000ED1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: #1002021.exe, 00000000.00000002.271583945.00000000081B1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\#1002021.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  .NET source code references suspicious native API functionsShow sources
                  Source: #1002021.exe, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 0.0.#1002021.exe.d70000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 0.2.#1002021.exe.d70000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 2.0.#1002021.exe.790000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 2.2.#1002021.exe.790000.1.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 2.2.#1002021.exe.400000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\#1002021.exeMemory written: C:\Users\user\Desktop\#1002021.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeProcess created: C:\Users\user\Desktop\#1002021.exe {path}Jump to behavior
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: #1002021.exe, 00000002.00000002.506230894.00000000015A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Users\user\Desktop\#1002021.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\#1002021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation