Loading ...

Play interactive tourEdit tour

Analysis Report SBG-1100319PurchaseOrder.exe

Overview

General Information

Sample Name:SBG-1100319PurchaseOrder.exe
Analysis ID:388089
MD5:2dd62d78b9f7e9c5529502e085b55756
SHA1:151d4cd68958df35ae706cc232627a05e923307f
SHA256:c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
Tags:exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Sigma detected: Remcos
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SBG-1100319PurchaseOrder.exe (PID: 6224 cmdline: 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' MD5: 2DD62D78B9F7E9C5529502E085B55756)
    • SBG-1100319PurchaseOrder.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' MD5: 2DD62D78B9F7E9C5529502E085B55756)
  • wscript.exe (PID: 7152 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • filename1.exe (PID: 5936 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe MD5: 2DD62D78B9F7E9C5529502E085B55756)
      • filename1.exe (PID: 5516 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe MD5: 2DD62D78B9F7E9C5529502E085B55756)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: filename1.exe PID: 5516JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: filename1.exe PID: 5516JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
            Click to see the 5 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RemcosShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe, ProcessId: 6352, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2"}
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2
            Source: global trafficTCP traffic: 192.168.2.7:49722 -> 79.134.225.124:2048
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/b
            Source: SBG-1100319PurchaseOrder.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%21505&authkey=ANKqoxx
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000003.345228305.0000000000971000.00000004.00000001.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmpString found in binary or memory: https://vug8la.am.files.1drv.com/
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmpString found in binary or memory: https://vug8la.am.files.1drv.com/y4mT1QYIp_fyTE8Fy0lLLYF_0s99rPZfbzgWA1b5QlZt4eQwn4RVNktZv9qdlLB64Ai

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeJump to behavior
            Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254532475.000000000075A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: SBG-1100319PurchaseOrder.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056616E NtSetInformationThread,2_2_0056616E
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565D24 NtProtectVirtualMemory,2_2_00565D24
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056645C NtSetInformationThread,2_2_0056645C
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566474 NtSetInformationThread,2_2_00566474
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056640C NtSetInformationThread,2_2_0056640C
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056642A NtSetInformationThread,2_2_0056642A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005664D8 NtSetInformationThread,2_2_005664D8
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565CCB NtProtectVirtualMemory,2_2_00565CCB
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005664FA NtSetInformationThread,2_2_005664FA
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00565CE1 NtProtectVirtualMemory,2_2_00565CE1
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056648A NtSetInformationThread,2_2_0056648A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566174 NtSetInformationThread,2_2_00566174
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661CE NtSetInformationThread,2_2_005661CE
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661FE NtSetInformationThread,2_2_005661FE
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661E8 NtSetInformationThread,2_2_005661E8
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056618C NtSetInformationThread,2_2_0056618C
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005661B8 NtSetInformationThread,2_2_005661B8
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056624A NtSetInformationThread,2_2_0056624A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566264 NtSetInformationThread,2_2_00566264
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056621C NtSetInformationThread,2_2_0056621C
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005662CA NtSetInformationThread,2_2_005662CA
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005662F0 NtSetInformationThread,2_2_005662F0
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566296 NtSetInformationThread,2_2_00566296
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566280 NtSetInformationThread,2_2_00566280
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005662B4 NtSetInformationThread,2_2_005662B4
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056635A NtSetInformationThread,2_2_0056635A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056636E NtSetInformationThread,2_2_0056636E
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566306 NtSetInformationThread,2_2_00566306
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056633C NtSetInformationThread,2_2_0056633C
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00566324 NtSetInformationThread,2_2_00566324
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005663C8 NtSetInformationThread,2_2_005663C8
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005663E0 NtSetInformationThread,2_2_005663E0
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056638E NtSetInformationThread,2_2_0056638E
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005663AE NtSetInformationThread,2_2_005663AE
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056616E NtSetInformationThread,13_2_0056616E
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560500 EnumWindows,NtSetInformationThread,13_2_00560500
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565D24 NtProtectVirtualMemory,13_2_00565D24
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560754 NtProtectVirtualMemory,13_2_00560754
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565787 NtSetInformationThread,13_2_00565787
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056645C NtSetInformationThread,13_2_0056645C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566474 NtSetInformationThread,13_2_00566474
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056506E NtSetInformationThread,13_2_0056506E
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056640C NtSetInformationThread,13_2_0056640C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056642A NtSetInformationThread,13_2_0056642A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005664D8 NtSetInformationThread,13_2_005664D8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565CCB NtProtectVirtualMemory,13_2_00565CCB
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005664FA NtSetInformationThread,13_2_005664FA
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00565CE1 NtProtectVirtualMemory,13_2_00565CE1
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056648A NtSetInformationThread,13_2_0056648A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560D56 NtProtectVirtualMemory,13_2_00560D56
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566174 NtSetInformationThread,13_2_00566174
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566569 NtSetInformationThread,13_2_00566569
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560D13 NtProtectVirtualMemory,13_2_00560D13
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560D28 NtProtectVirtualMemory,13_2_00560D28
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661CE NtSetInformationThread,13_2_005661CE
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005605CA NtSetInformationThread,13_2_005605CA
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005605F2 NtSetInformationThread,13_2_005605F2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661FE NtSetInformationThread,13_2_005661FE
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661E8 NtSetInformationThread,13_2_005661E8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560586 NtSetInformationThread,13_2_00560586
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056618C NtSetInformationThread,13_2_0056618C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005661B8 NtSetInformationThread,13_2_005661B8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560DA8 NtProtectVirtualMemory,13_2_00560DA8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056624A NtSetInformationThread,13_2_0056624A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560664 NtSetInformationThread,13_2_00560664
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566264 NtSetInformationThread,13_2_00566264
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056621C NtSetInformationThread,13_2_0056621C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056062B NtSetInformationThread,13_2_0056062B
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005606D4 NtSetInformationThread,13_2_005606D4
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005662CA NtSetInformationThread,13_2_005662CA
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005662F0 NtSetInformationThread,13_2_005662F0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566296 NtSetInformationThread,13_2_00566296
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00560698 NtSetInformationThread,13_2_00560698
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566280 NtSetInformationThread,13_2_00566280
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005662B4 NtSetInformationThread,13_2_005662B4
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056635A NtSetInformationThread,13_2_0056635A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00564F76 NtSetInformationThread,13_2_00564F76
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056636E NtSetInformationThread,13_2_0056636E
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566306 NtSetInformationThread,13_2_00566306
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056633C NtSetInformationThread,13_2_0056633C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00566324 NtSetInformationThread,13_2_00566324
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005663C8 NtSetInformationThread,13_2_005663C8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005663E0 NtSetInformationThread,13_2_005663E0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056638E NtSetInformationThread,13_2_0056638E
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005663AE NtSetInformationThread,13_2_005663AE
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_0223648A0_2_0223648A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_0056648A2_2_0056648A
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_005647002_2_00564700
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C648A12_2_021C648A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056648A13_2_0056648A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005665DA13_2_005665DA
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005629C713_2_005629C7
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056436613_2_00564366
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056536313_2_00565363
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_0056470013_2_00564700
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005643B013_2_005643B0
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: filename1.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254583063.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507657061.000000001DEE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000000.253118213.0000000000432000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507717247.000000001E030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exeBinary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@8/3@62/1
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile created: C:\Users\user\AppData\Roaming\remcosJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeMutant created: \Sessions\1\BaseNamedObjects\idll-WT08JM
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
            Source: SBG-1100319PurchaseOrder.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile read: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02235A0A push eax; ret 0_2_02235A0B
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00563B8E pushad ; ret 2_2_00563BA2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 12_2_021C5A0A push eax; ret 12_2_021C5A0B
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005629C7 pushad ; ret 13_2_00563BA2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_00563B8E pushad ; ret 13_2_00563BA2
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbsJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 2_2_00562387 2_2_00562387
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 13_2_005623A6 13_2_005623A6
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000223033D second address: 00000000022346F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CC92A9h 0x00000010 jmp 00007F1880CC4246h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CC4246h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CC34DAh 0x00000032 jmp 00007F1880CC4242h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CC4242h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CC4242h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000022346F2 second address: 0000000002234756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000022348F1 second address: 0000000002234988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000021C033D second address: 00000000021C46F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F18804EC169h 0x00000010 jmp 00007F18804E7106h 0x00000012 test dh, bh 0x00000014 jmp 00007F18804E7106h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F18804E639Ah 0x00000032 jmp 00007F18804E7102h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F18804E7102h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F18804E7102h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000021C46F2 second address: 00000000021C4756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000021C48F1 second address: 00000000021C4988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exeCode function: 0_2_02235232 rdtsc 0_2_02235232
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804Thread sleep count: 81 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804Thread sleep time: -40500s >= -30000sJump to behavior
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWXV
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWdwebpl
            Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging: