Loading ...

Play interactive tourEdit tour

Analysis Report Sample Order.exe

Overview

General Information

Sample Name:Sample Order.exe
Analysis ID:404235
MD5:72d643819882baf6c48246024d4755d1
SHA1:edc461e732f56caa64c1ce4b02094fdd3d9af99f
SHA256:c590c197137574e792a991b5c56791b8f7cccd4985d46b9f459fc6c39fdeb4ab
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Sample Order.exe (PID: 5488 cmdline: 'C:\Users\user\Desktop\Sample Order.exe' MD5: 72D643819882BAF6C48246024D4755D1)
    • schtasks.exe (PID: 5828 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Sample Order.exe (PID: 4452 cmdline: {path} MD5: 72D643819882BAF6C48246024D4755D1)
  • wAyLNJ.exe (PID: 6420 cmdline: 'C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe' MD5: 72D643819882BAF6C48246024D4755D1)
    • schtasks.exe (PID: 6616 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wAyLNJ.exe (PID: 6668 cmdline: {path} MD5: 72D643819882BAF6C48246024D4755D1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "alvank6@earthlink.netsoLution16@smtpauth.earthlink.netspe1759@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.wAyLNJ.exe.3d01858.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              20.2.wAyLNJ.exe.3d01858.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Sample Order.exe.3ca1858.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  24.2.wAyLNJ.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Sample Order.exe.3ca1858.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 20.2.wAyLNJ.exe.3d01858.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "alvank6@earthlink.netsoLution16@smtpauth.earthlink.netspe1759@gmail.com"}
                      Source: 24.2.wAyLNJ.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.Sample Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Sample Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 54.225.165.85:443 -> 192.168.2.7:49745 version: TLS 1.2
                      Source: Sample Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: Joe Sandbox ViewIP Address: 54.225.165.85 54.225.165.85
                      Source: Joe Sandbox ViewIP Address: 54.225.165.85 54.225.165.85
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://DVEXLL.com
                      Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Sample Order.exe, 00000008.00000002.517017821.0000000006A01000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Sample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Sample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comf37x
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: Sample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Sample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownHTTPS traffic detected: 54.225.165.85:443 -> 192.168.2.7:49745 version: TLS 1.2
                      Source: C:\Users\user\Desktop\Sample Order.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Sample Order.exe
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_00E4E4C30_2_00E4E4C3
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_00E4E4D00_2_00E4E4D0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_00E4C43C0_2_00E4C43C
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C37F0_2_0709C37F
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070983900_2_07098390
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070927B10_2_070927B1
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C6000_2_0709C600
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095E990_2_07095E99
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070936C80_2_070936C8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07097EC80_2_07097EC8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070905080_2_07090508
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07091D500_2_07091D50
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070900400_2_07090040
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709AC780_2_0709AC78
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B0700_2_0709B070
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070910E80_2_070910E8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070917730_2_07091773
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07096F900_2_07096F90
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095F940_2_07095F94
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095FE80_2_07095FE8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095A280_2_07095A28
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095A380_2_07095A38
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070976620_2_07097662
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070936950_2_07093695
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095EA90_2_07095EA9
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07097EC70_2_07097EC7
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07099AE80_2_07099AE8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07099AE00_2_07099AE0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07099AF00_2_07099AF0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070905110_2_07090511
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070951800_2_07095180
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070951870_2_07095187
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709759F0_2_0709759F
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070951900_2_07095190
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B5B80_2_0709B5B8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B5B00_2_0709B5B0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B5C10_2_0709B5C1
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070975C00_2_070975C0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070945D00_2_070945D0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070935D50_2_070935D5
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C5FF0_2_0709C5FF
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709580A0_2_0709580A
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070958180_2_07095818
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070958100_2_07095810
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B8340_2_0709B834
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070960680_2_07096068
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709AC6F0_2_0709AC6F
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B0600_2_0709B060
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070954820_2_07095482
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070910930_2_07091093
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988AA0_2_070988AA
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095CAF0_2_07095CAF
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095CA20_2_07095CA2
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988B80_2_070988B8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095CB00_2_07095CB0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988B70_2_070988B7
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C0B70_2_0709C0B7
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_014E47A08_2_014E47A0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_014E81588_2_014E8158
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_014E46B08_2_014E46B0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F8AD08_2_062F8AD0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F98308_2_062F9830
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F7A7A8_2_062F7A7A
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064706B08_2_064706B0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_06471B288_2_06471B28
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_06471B888_2_06471B88
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AB22E8_2_064AB22E
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A80808_2_064A8080
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A55F48_2_064A55F4
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AF1908_2_064AF190
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AD3508_2_064AD350
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AE4508_2_064AE450
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0298E4D020_2_0298E4D0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0298E4CC20_2_0298E4CC
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0298C43C20_2_0298C43C
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0503604820_2_05036048
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0503603820_2_05036038
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558E8E820_2_0558E8E8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05581D5020_2_05581D50
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05581D6020_2_05581D60
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558051820_2_05580518
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558050820_2_05580508
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558B53820_2_0558B538
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558B52820_2_0558B528
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055835D220_2_055835D2
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055875C020_2_055875C0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558758220_2_05587582
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AC7820_2_0558AC78
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AC6A20_2_0558AC6A
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AC2020_2_0558AC20
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558549020_2_05585490
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558548020_2_05585480
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585CB020_2_05585CB0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585CA220_2_05585CA2
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558177120_2_05581771
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AFD820_2_0558AFD8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055827C020_2_055827C0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AFE820_2_0558AFE8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585FE820_2_05585FE8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05586F9020_2_05586F90
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585F9420_2_05585F94
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05586F8220_2_05586F82
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055827B120_2_055827B1
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558B7AC20_2_0558B7AC
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558766220_2_05587662
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055836C820_2_055836C8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB47A024_2_02FB47A0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB46B024_2_02FB46B0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB479024_2_02FB4790
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB477224_2_02FB4772
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_065494F024_2_065494F0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_0654753024_2_06547530
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_0654691824_2_06546918
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_06546C6024_2_06546C60
                      Source: Sample Order.exe, 00000000.00000000.231277776.000000000061E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.284865813.0000000008ED0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.283205404.00000000070A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGDFAFYjkLqUAsXwTgDhjpkvsbHh.exe4 vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.502600664.0000000000D5E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.505739174.000000000150A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.516337341.00000000064B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGDFAFYjkLqUAsXwTgDhjpkvsbHh.exe4 vs Sample Order.exe
                      Source: Sample Order.exeBinary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
                      Source: Sample Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/7@3/2
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Roaming\OnUeAYnP.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeMutant created: \Sessions\1\BaseNamedObjects\BWrxfmLqeFeFHYIvUoRBklGn
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8100.tmpJump to behavior
                      Source: Sample Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sample Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: wAyLNJ.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: wAyLNJ.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                      Source: Sample Order.exe, 00000000.00000000.231156330.0000000000522000.00000002.00020000.sdmp, Sample Order.exe, 00000008.00000000.271907202.0000000000C62000.00000002.00020000.sdmp, wAyLNJ.exe, 00000014.00000000.349686963.00000000005F2000.00000002.00020000.sdmp, wAyLNJ.exe, 00000018.00000000.373430772.0000000000C92000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: Sample Order.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Users\user\Desktop\Sample Order.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Sample Order.exe 'C:\Users\user\Desktop\Sample Order.exe'
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Users\user\Desktop\Sample Order.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe 'C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe'
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path}
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Users\user\Desktop\Sample Order.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Sample Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Sample Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Sample Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Sample Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Sample Order.exeStatic PE information: 0xDA92057D [Fri Mar 15 03:52:29 2086 UTC]
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_06ED170D push FFFFFF8Bh; iretd 0_2_06ED170F
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988A8 pushfd ; iretd 0_2_070988A9
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F7A7A push es; retf 8_2_062F7E98
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062FD0A1 push es; retf 8_2_062FD0A4
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064ACA46 push es; ret 8_2_064ACA68
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A6E80 pushfd ; retf 8_2_064A6E81
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A93C6 push es; ret 8_2_064A93C8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AC9BE push es; ret 8_2_064AC9D8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FBDB6D push 8BD08B05h; iretd 24_2_02FBDB74
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_06548530 push es; ret 24_2_06548540
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_0654CA61 push es; ret 24_2_0654CA70
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.14748707063
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.14748707063
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.14748707063
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Roaming\OnUeAYnP.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
                      Source: C:\Users\user\Desktop\Sample Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Sample Order.exeFile opened: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exe