Analysis Report Sample Order.exe

Overview

General Information

Sample Name: Sample Order.exe
Analysis ID: 404235
MD5: 72d643819882baf6c48246024d4755d1
SHA1: edc461e732f56caa64c1ce4b02094fdd3d9af99f
SHA256: c590c197137574e792a991b5c56791b8f7cccd4985d46b9f459fc6c39fdeb4ab
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 20.2.wAyLNJ.exe.3d01858.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "alvank6@earthlink.netsoLution16@smtpauth.earthlink.netspe1759@gmail.com"}
Antivirus or Machine Learning detection for unpacked file
Source: 24.2.wAyLNJ.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 8.2.Sample Order.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Sample Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 54.225.165.85:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: Sample Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\Sample Order.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Sample Order.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Sample Order.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Sample Order.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Sample Order.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Sample Order.exe DNS query: name: api.ipify.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 54.225.165.85 54.225.165.85
Source: Joe Sandbox View IP Address: 54.225.165.85 54.225.165.85
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp String found in binary or memory: http://DVEXLL.com
Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Sample Order.exe, 00000008.00000002.517017821.0000000006A01000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Sample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Sample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comf37x
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org
Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org/
Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Sample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Sample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 54.225.165.85:443 -> 192.168.2.7:49745 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Sample Order.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Sample Order.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_00E4E4C3 0_2_00E4E4C3
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_00E4E4D0 0_2_00E4E4D0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_00E4C43C 0_2_00E4C43C
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709C37F 0_2_0709C37F
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07098390 0_2_07098390
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070927B1 0_2_070927B1
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709C600 0_2_0709C600
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095E99 0_2_07095E99
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070936C8 0_2_070936C8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07097EC8 0_2_07097EC8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07090508 0_2_07090508
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07091D50 0_2_07091D50
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07090040 0_2_07090040
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709AC78 0_2_0709AC78
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709B070 0_2_0709B070
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070910E8 0_2_070910E8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07091773 0_2_07091773
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07096F90 0_2_07096F90
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095F94 0_2_07095F94
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095FE8 0_2_07095FE8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095A28 0_2_07095A28
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095A38 0_2_07095A38
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07097662 0_2_07097662
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07093695 0_2_07093695
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095EA9 0_2_07095EA9
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07097EC7 0_2_07097EC7
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07099AE8 0_2_07099AE8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07099AE0 0_2_07099AE0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07099AF0 0_2_07099AF0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07090511 0_2_07090511
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095180 0_2_07095180
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095187 0_2_07095187
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709759F 0_2_0709759F
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095190 0_2_07095190
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709B5B8 0_2_0709B5B8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709B5B0 0_2_0709B5B0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709B5C1 0_2_0709B5C1
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070975C0 0_2_070975C0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070945D0 0_2_070945D0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070935D5 0_2_070935D5
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709C5FF 0_2_0709C5FF
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709580A 0_2_0709580A
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095818 0_2_07095818
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095810 0_2_07095810
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709B834 0_2_0709B834
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07096068 0_2_07096068
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709AC6F 0_2_0709AC6F
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709B060 0_2_0709B060
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095482 0_2_07095482
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07091093 0_2_07091093
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070988AA 0_2_070988AA
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095CAF 0_2_07095CAF
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095CA2 0_2_07095CA2
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070988B8 0_2_070988B8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_07095CB0 0_2_07095CB0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070988B7 0_2_070988B7
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_0709C0B7 0_2_0709C0B7
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_014E47A0 8_2_014E47A0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_014E8158 8_2_014E8158
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_014E46B0 8_2_014E46B0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_062F8AD0 8_2_062F8AD0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_062F9830 8_2_062F9830
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_062F7A7A 8_2_062F7A7A
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064706B0 8_2_064706B0
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_06471B28 8_2_06471B28
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_06471B88 8_2_06471B88
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064AB22E 8_2_064AB22E
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064A8080 8_2_064A8080
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064A55F4 8_2_064A55F4
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064AF190 8_2_064AF190
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064AD350 8_2_064AD350
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064AE450 8_2_064AE450
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0298E4D0 20_2_0298E4D0
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0298E4CC 20_2_0298E4CC
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0298C43C 20_2_0298C43C
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05036048 20_2_05036048
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05036038 20_2_05036038
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558E8E8 20_2_0558E8E8
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05581D50 20_2_05581D50
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05581D60 20_2_05581D60
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05580518 20_2_05580518
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05580508 20_2_05580508
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558B538 20_2_0558B538
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558B528 20_2_0558B528
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_055835D2 20_2_055835D2
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_055875C0 20_2_055875C0
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05587582 20_2_05587582
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558AC78 20_2_0558AC78
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558AC6A 20_2_0558AC6A
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558AC20 20_2_0558AC20
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05585490 20_2_05585490
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05585480 20_2_05585480
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05585CB0 20_2_05585CB0
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05585CA2 20_2_05585CA2
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05581771 20_2_05581771
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558AFD8 20_2_0558AFD8
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_055827C0 20_2_055827C0
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558AFE8 20_2_0558AFE8
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05585FE8 20_2_05585FE8
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05586F90 20_2_05586F90
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05585F94 20_2_05585F94
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05586F82 20_2_05586F82
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_055827B1 20_2_055827B1
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_0558B7AC 20_2_0558B7AC
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_05587662 20_2_05587662
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 20_2_055836C8 20_2_055836C8
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_02FB47A0 24_2_02FB47A0
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_02FB46B0 24_2_02FB46B0
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_02FB4790 24_2_02FB4790
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_02FB4772 24_2_02FB4772
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_065494F0 24_2_065494F0
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_06547530 24_2_06547530
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_06546918 24_2_06546918
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_06546C60 24_2_06546C60
Sample file is different than original file name gathered from version info
Source: Sample Order.exe, 00000000.00000000.231277776.000000000061E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
Source: Sample Order.exe, 00000000.00000002.284865813.0000000008ED0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Sample Order.exe
Source: Sample Order.exe, 00000000.00000002.283205404.00000000070A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Sample Order.exe
Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSmartFormat.dll8 vs Sample Order.exe
Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGDFAFYjkLqUAsXwTgDhjpkvsbHh.exe4 vs Sample Order.exe
Source: Sample Order.exe, 00000008.00000002.502600664.0000000000D5E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
Source: Sample Order.exe, 00000008.00000002.505739174.000000000150A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Sample Order.exe
Source: Sample Order.exe, 00000008.00000002.516337341.00000000064B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Sample Order.exe
Source: Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameGDFAFYjkLqUAsXwTgDhjpkvsbHh.exe4 vs Sample Order.exe
Source: Sample Order.exe Binary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
Uses 32bit PE files
Source: Sample Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/7@3/2
Source: C:\Users\user\Desktop\Sample Order.exe File created: C:\Users\user\AppData\Roaming\OnUeAYnP.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Mutant created: \Sessions\1\BaseNamedObjects\BWrxfmLqeFeFHYIvUoRBklGn
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
Source: C:\Users\user\Desktop\Sample Order.exe File created: C:\Users\user\AppData\Local\Temp\tmp8100.tmp Jump to behavior
Source: Sample Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Sample Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Sample Order.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: wAyLNJ.exe Binary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
Source: wAyLNJ.exe Binary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
Source: Sample Order.exe, 00000000.00000000.231156330.0000000000522000.00000002.00020000.sdmp, Sample Order.exe, 00000008.00000000.271907202.0000000000C62000.00000002.00020000.sdmp, wAyLNJ.exe, 00000014.00000000.349686963.00000000005F2000.00000002.00020000.sdmp, wAyLNJ.exe, 00000018.00000000.373430772.0000000000C92000.00000002.00020000.sdmp Binary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
Source: Sample Order.exe String found in binary or memory: Administrators/addNewToolStripMenuItem
Source: C:\Users\user\Desktop\Sample Order.exe File read: C:\Users\user\Desktop\Sample Order.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Sample Order.exe 'C:\Users\user\Desktop\Sample Order.exe'
Source: C:\Users\user\Desktop\Sample Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sample Order.exe Process created: C:\Users\user\Desktop\Sample Order.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe 'C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe'
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path}
Source: C:\Users\user\Desktop\Sample Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process created: C:\Users\user\Desktop\Sample Order.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Sample Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Sample Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Sample Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Sample Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: Sample Order.exe Static PE information: 0xDA92057D [Fri Mar 15 03:52:29 2086 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_06ED170D push FFFFFF8Bh; iretd 0_2_06ED170F
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 0_2_070988A8 pushfd ; iretd 0_2_070988A9
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_062F7A7A push es; retf 8_2_062F7E98
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_062FD0A1 push es; retf 8_2_062FD0A4
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064ACA46 push es; ret 8_2_064ACA68
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064A6E80 pushfd ; retf 8_2_064A6E81
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064A93C6 push es; ret 8_2_064A93C8
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_064AC9BE push es; ret 8_2_064AC9D8
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_02FBDB6D push 8BD08B05h; iretd 24_2_02FBDB74
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_06548530 push es; ret 24_2_06548540
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_0654CA61 push es; ret 24_2_0654CA70
Source: initial sample Static PE information: section name: .text entropy: 7.14748707063
Source: initial sample Static PE information: section name: .text entropy: 7.14748707063
Source: initial sample Static PE information: section name: .text entropy: 7.14748707063

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Sample Order.exe File created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Jump to dropped file
Source: C:\Users\user\Desktop\Sample Order.exe File created: C:\Users\user\AppData\Roaming\OnUeAYnP.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Sample Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
Source: C:\Users\user\Desktop\Sample Order.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJ Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJ Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Sample Order.exe File opened: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Sample Order.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Sample Order.exe PID: 5488, type: MEMORY
Source: Yara match File source: Process Memory Space: wAyLNJ.exe PID: 6420, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Sample Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Sample Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Sample Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Sample Order.exe Window / User API: threadDelayed 5626 Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Window / User API: threadDelayed 4124 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Window / User API: threadDelayed 3032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Window / User API: threadDelayed 6789 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Sample Order.exe TID: 5484 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe TID: 5484 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe TID: 5468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe TID: 4616 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 6424 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 6424 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 6492 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 4852 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 768 Thread sleep count: 3032 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 768 Thread sleep count: 6789 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Sample Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Sample Order.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Sample Order.exe, 00000008.00000002.516890640.00000000069B0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Sample Order.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Sample Order.exe Code function: 8_2_06470F08 LdrInitializeThunk, 8_2_06470F08
Enables debug privileges
Source: C:\Users\user\Desktop\Sample Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Sample Order.exe Memory written: C:\Users\user\Desktop\Sample Order.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Memory written: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Sample Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Process created: C:\Users\user\Desktop\Sample Order.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Process created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path} Jump to behavior
Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Users\user\Desktop\Sample Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Users\user\Desktop\Sample Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe Code function: 24_2_06544FFC GetUserNameW, 24_2_06544FFC
Source: C:\Users\user\Desktop\Sample Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample Order.exe PID: 5488, type: MEMORY
Source: Yara match File source: Process Memory Space: wAyLNJ.exe PID: 6668, type: MEMORY
Source: Yara match File source: Process Memory Space: wAyLNJ.exe PID: 6420, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample Order.exe PID: 4452, type: MEMORY
Source: Yara match File source: 20.2.wAyLNJ.exe.3d01858.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.wAyLNJ.exe.3d01858.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample Order.exe.3ca1858.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.wAyLNJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample Order.exe.3ca1858.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Sample Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample Order.exe.3cd7a78.3.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Sample Order.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Sample Order.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Sample Order.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Sample Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wAyLNJ.exe PID: 6668, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample Order.exe PID: 4452, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample Order.exe PID: 5488, type: MEMORY
Source: Yara match File source: Process Memory Space: wAyLNJ.exe PID: 6668, type: MEMORY
Source: Yara match File source: Process Memory Space: wAyLNJ.exe PID: 6420, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample Order.exe PID: 4452, type: MEMORY
Source: Yara match File source: 20.2.wAyLNJ.exe.3d01858.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.wAyLNJ.exe.3d01858.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample Order.exe.3ca1858.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.wAyLNJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample Order.exe.3ca1858.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Sample Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample Order.exe.3cd7a78.3.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404235 Sample: Sample Order.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 37 smtpauth.earthlink.net 2->37 53 Found malware configuration 2->53 55 Yara detected AgentTesla 2->55 57 Yara detected AntiVM3 2->57 59 6 other signatures 2->59 8 Sample Order.exe 6 2->8         started        12 wAyLNJ.exe 5 2->12         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\tmp8100.tmp, XML 8->29 dropped 31 C:\Users\user\AppData\Roaming\OnUeAYnP.exe, PE32 8->31 dropped 61 Injects a PE file into a foreign processes 8->61 14 Sample Order.exe 17 5 8->14         started        19 schtasks.exe 1 8->19         started        63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->65 21 schtasks.exe 1 12->21         started        23 wAyLNJ.exe 2 12->23         started        signatures6 process7 dnsIp8 39 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.165.85, 443, 49745 AMAZON-AESUS United States 14->39 41 192.168.2.1 unknown unknown 14->41 43 2 other IPs or domains 14->43 33 C:\Users\user\AppData\Roaming\...\wAyLNJ.exe, PE32 14->33 dropped 35 C:\Users\user\...\wAyLNJ.exe:Zone.Identifier, ASCII 14->35 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->45 47 Tries to steal Mail credentials (via file access) 14->47 49 Tries to harvest and steal browser information (history, passwords, etc) 14->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->51 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.225.165.85
elb097307-934924932.us-east-1.elb.amazonaws.com United States
14618 AMAZON-AESUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.165.85 true
smtpauth.earthlink.net 207.69.189.209 true
api.ipify.org unknown unknown