Loading ...

Play interactive tourEdit tour

Analysis Report New Order Request_0232147.exe

Overview

General Information

Sample Name:New Order Request_0232147.exe
Analysis ID:404158
MD5:5133cbc9db4989d6fbb350e0829911c8
SHA1:72052feec6f9f94fe0831a77bdf8c3493d268e37
SHA256:fbdc2f9c6e970ae88ff30847c4d63472a0f0aa9b8e008e5b5c37f62ac526a963
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "calidad1@iruberritechnologies.comVpx7s4QHfJx7mail.iruberritechnologies.comrichardjortega@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: New Order Request_0232147.exe PID: 6368JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: New Order Request_0232147.exe PID: 6368JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.New Order Request_0232147.exe.45ee328.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.New Order Request_0232147.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.New Order Request_0232147.exe.45ee328.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.New Order Request_0232147.exe.45ee328.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "calidad1@iruberritechnologies.comVpx7s4QHfJx7mail.iruberritechnologies.comrichardjortega@yandex.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: New Order Request_0232147.exeVirustotal: Detection: 14%Perma Link
                  Source: New Order Request_0232147.exeReversingLabs: Detection: 17%
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: New Order Request_0232147.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: New Order Request_0232147.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 149.202.85.210:587
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 149.202.85.210:587
                  Source: unknownDNS traffic detected: queries for: mail.iruberritechnologies.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://LPzxab.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503177096.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://iruberritechnologies.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503177096.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://mail.iruberritechnologies.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0?
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: New Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                  Source: New Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCZ
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.243298062.0000000006285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: New Order Request_0232147.exe, 00000000.00000002.259475460.00000000019A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comh
                  Source: New Order Request_0232147.exe, 00000000.00000002.259475460.00000000019A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comion
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: New Order Request_0232147.exe, 00000000.00000003.234986480.0000000006288000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: New Order Request_0232147.exe, 00000000.00000003.234986480.0000000006288000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnFYT/
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: New Order Request_0232147.exe, 00000000.00000003.242633271.0000000006285000.00000004.00000001.sdmp, New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: New Order Request_0232147.exe, 00000000.00000003.241640533.000000000628B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comTF
                  Source: New Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
                  Source: New Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                  Source: New Order Request_0232147.exe, 00000000.00000003.237365971.0000000006286000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.235097752.0000000006288000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com7
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: https://9TuO2oVE4tm8Yg0qRsK.org
                  Source: New Order Request_0232147.exe, 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmp, New Order Request_0232147.exe, 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEAE24690u002d1E26u002d4B8Cu002dAA5Bu002d108B71A5B425u007d/u00333AA9EBEu002d6032u002d421Du002dA6B8u002d318DAED5CBB5.csLarge array initialization: .cctor: array initializer size 11983
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: New Order Request_0232147.exe
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_0578C43C0_2_0578C43C
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_0578E4D00_2_0578E4D0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_0578E4C30_2_0578E4C3
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE26E00_2_07AE26E0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAE400_2_07AEAE40
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5D300_2_07AE5D30
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE35400_2_07AE3540
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE1C880_2_07AE1C88
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE7CC80_2_07AE7CC8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE81900_2_07AE8190
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE68E80_2_07AE68E8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEB0F00_2_07AEB0F0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE10180_2_07AE1018
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE00400_2_07AE0040
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE0FB70_2_07AE0FB7
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE86A00_2_07AE86A0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE56800_2_07AE5680
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE86900_2_07AE8690
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE26D00_2_07AE26D0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAE320_2_07AEAE32
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEC6000_2_07AEC600
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE56700_2_07AE5670
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE6D800_2_07AE6D80
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEC5F00_2_07AEC5F0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5D210_2_07AE5D21
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE25000_2_07AE2500
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE6D700_2_07AE6D70
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE04AA0_2_07AE04AA
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE04B80_2_07AE04B8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE7CB80_2_07AE7CB8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE34D60_2_07AE34D6
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE74100_2_07AE7410
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE1C780_2_07AE1C78
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE44490_2_07AE4449
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE44580_2_07AE4458
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE73F60_2_07AE73F6
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAB680_2_07AEAB68
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAB780_2_07AEAB78
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5B400_2_07AE5B40
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE52E80_2_07AE52E8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE52F80_2_07AE52F8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE58A00_2_07AE58A0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE68BD0_2_07AE68BD
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE58900_2_07AE5890
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEB0E00_2_07AEB0E0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE00060_2_07AE0006
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE68790_2_07AE6879
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F92D505_2_00F92D50
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F9F2105_2_00F9F210
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F91FEF5_2_00F91FEF
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F927685_2_00F92768
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF0AC45_2_00FF0AC4
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF32855_2_00FF3285
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF5B605_2_00FF5B60
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FFC5D05_2_00FFC5D0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF91985_2_00FF9198
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FFBEE05_2_00FFBEE0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF5EA85_2_00FF5EA8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FFC6705_2_00FFC670
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_010500405_2_01050040
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_010543F05_2_010543F0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_010532485_2_01053248
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01054A755_2_01054A75
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01058F405_2_01058F40
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_0105B7905_2_0105B790
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_0105E5675_2_0105E567
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_010597885_2_01059788
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_010596885_2_01059688
                  Source: New Order Request_0232147.exe, 00000000.00000002.262301254.00000000042A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000000.00000002.258139630.0000000001002000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamempUIbZUCJJtYBvJwTrRUyqOpjFnkxPklNCt.exe4 vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000000.00000002.259621608.00000000032A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000004.00000000.254603815.00000000002E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000000.256547687.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000002.497098410.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000002.505433369.0000000006030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamempUIbZUCJJtYBvJwTrRUyqOpjFnkxPklNCt.exe4 vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exeBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@6/1
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order Request_0232147.exe.logJump to behavior
                  Source: New Order Request_0232147.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: New Order Request_0232147.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: New Order Request_0232147.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                  Source: New Order Request_0232147.exe, 00000000.00000000.230290906.0000000000F02000.00000002.00020000.sdmp, New Order Request_0232147.exe, 00000004.00000002.256253349.00000000001E2000.00000002.00020000.sdmp, New Order Request_0232147.exe, 00000005.00000002.495906591.0000000000862000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: New Order Request_0232147.exeVirustotal: Detection: 14%
                  Source: New Order Request_0232147.exeReversingLabs: Detection: 17%
                  Source: New Order Request_0232147.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                  Source: unknownProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe 'C:\Users\user\Desktop\New Order Request_0232147.exe'
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: New Order Request_0232147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: New Order Request_0232147.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: New Order Request_0232147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: New Order Request_0232147.exeStatic PE information: 0xF0C0A264 [Sun Dec 29 11:52:04 2097 UTC]
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE2F05 push ds; ret 0_2_07AE2F08
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE65EB push ecx; retf 0_2_07AE65EC
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEC4CA push ebp; ret 0_2_07AEC4CD
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE8182 push esp; retf 0_2_07AE8189
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F954F0 pushfd ; ret 5_2_00F9561E
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F9E6B0 pushfd ; ret 5_2_00F9E6D1
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F97A37 push edi; retn 0000h5_2_00F97A39
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F9FB98 pushfd ; ret 5_2_00F9FDE6
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF912D push fs; iretd 5_2_00FF912F
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF0650 push 99BC00D7h; ret 5_2_00FF06E6
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_013CDEEF push C802C3C1h; ret 5_2_013CDF6A
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.17013687848
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: New Order Request_0232147.exe PID: 6368, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWindow / User API: threadDelayed 3749Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWindow / User API: threadDelayed 6072Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 6372Thread sleep time: -31500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 6392Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 5480Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 5476Thread sleep count: 3749 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 5476Thread sleep count: 6072 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 31500Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01050040 LdrInitializeThunk,5_2_01050040
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeMemory written: C:\Users\user\Desktop\New Order Request_0232147.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}Jump to behavior
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Users\user\Desktop\New Order Request_0232147.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation</