Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Sample Order.exe

Overview

General Information

Sample Name:Sample Order.exe
Analysis ID:404235
MD5:72d643819882baf6c48246024d4755d1
SHA1:edc461e732f56caa64c1ce4b02094fdd3d9af99f
SHA256:c590c197137574e792a991b5c56791b8f7cccd4985d46b9f459fc6c39fdeb4ab
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Sample Order.exe (PID: 5488 cmdline: 'C:\Users\user\Desktop\Sample Order.exe' MD5: 72D643819882BAF6C48246024D4755D1)
    • schtasks.exe (PID: 5828 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Sample Order.exe (PID: 4452 cmdline: {path} MD5: 72D643819882BAF6C48246024D4755D1)
  • wAyLNJ.exe (PID: 6420 cmdline: 'C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe' MD5: 72D643819882BAF6C48246024D4755D1)
    • schtasks.exe (PID: 6616 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wAyLNJ.exe (PID: 6668 cmdline: {path} MD5: 72D643819882BAF6C48246024D4755D1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "alvank6@earthlink.netsoLution16@smtpauth.earthlink.netspe1759@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.wAyLNJ.exe.3d01858.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              20.2.wAyLNJ.exe.3d01858.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Sample Order.exe.3ca1858.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  24.2.wAyLNJ.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Sample Order.exe.3ca1858.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 20.2.wAyLNJ.exe.3d01858.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "alvank6@earthlink.netsoLution16@smtpauth.earthlink.netspe1759@gmail.com"}
                      Source: 24.2.wAyLNJ.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.Sample Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Sample Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 54.225.165.85:443 -> 192.168.2.7:49745 version: TLS 1.2
                      Source: Sample Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\Sample Order.exeDNS query: name: api.ipify.org
                      Source: Joe Sandbox ViewIP Address: 54.225.165.85 54.225.165.85
                      Source: Joe Sandbox ViewIP Address: 54.225.165.85 54.225.165.85
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://DVEXLL.com
                      Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Sample Order.exe, 00000008.00000002.517017821.0000000006A01000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Sample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Sample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comf37x
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: Sample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Sample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownHTTPS traffic detected: 54.225.165.85:443 -> 192.168.2.7:49745 version: TLS 1.2
                      Source: C:\Users\user\Desktop\Sample Order.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Sample Order.exe
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_00E4E4C3
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_00E4E4D0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_00E4C43C
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C37F
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07098390
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070927B1
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C600
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095E99
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070936C8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07097EC8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07090508
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07091D50
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07090040
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709AC78
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B070
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070910E8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07091773
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07096F90
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095F94
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095FE8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095A28
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095A38
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07097662
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07093695
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095EA9
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07097EC7
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07099AE8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07099AE0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07099AF0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07090511
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095180
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095187
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709759F
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095190
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B5B8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B5B0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B5C1
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070975C0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070945D0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070935D5
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C5FF
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709580A
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095818
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095810
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B834
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07096068
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709AC6F
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709B060
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095482
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07091093
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988AA
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095CAF
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095CA2
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988B8
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_07095CB0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988B7
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_0709C0B7
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_014E47A0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_014E8158
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_014E46B0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F8AD0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F9830
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F7A7A
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064706B0
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_06471B28
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_06471B88
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AB22E
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A8080
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A55F4
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AF190
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AD350
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AE450
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0298E4D0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0298E4CC
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0298C43C
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05036048
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05036038
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558E8E8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05581D50
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05581D60
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05580518
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05580508
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558B538
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558B528
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055835D2
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055875C0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05587582
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AC78
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AC6A
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AC20
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585490
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585480
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585CB0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585CA2
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05581771
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AFD8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055827C0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558AFE8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585FE8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05586F90
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05585F94
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05586F82
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055827B1
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_0558B7AC
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_05587662
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 20_2_055836C8
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB47A0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB46B0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB4790
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FB4772
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_065494F0
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_06547530
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_06546918
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_06546C60
                      Source: Sample Order.exe, 00000000.00000000.231277776.000000000061E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.284865813.0000000008ED0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.283205404.00000000070A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs Sample Order.exe
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGDFAFYjkLqUAsXwTgDhjpkvsbHh.exe4 vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.502600664.0000000000D5E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.505739174.000000000150A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.516337341.00000000064B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Sample Order.exe
                      Source: Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGDFAFYjkLqUAsXwTgDhjpkvsbHh.exe4 vs Sample Order.exe
                      Source: Sample Order.exeBinary or memory string: OriginalFilenameR0QTaaU57lgwlvp.exeR vs Sample Order.exe
                      Source: Sample Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/7@3/2
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Roaming\OnUeAYnP.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeMutant created: \Sessions\1\BaseNamedObjects\BWrxfmLqeFeFHYIvUoRBklGn
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8100.tmpJump to behavior
                      Source: Sample Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sample Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Sample Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Sample Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: wAyLNJ.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: wAyLNJ.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                      Source: Sample Order.exe, 00000000.00000000.231156330.0000000000522000.00000002.00020000.sdmp, Sample Order.exe, 00000008.00000000.271907202.0000000000C62000.00000002.00020000.sdmp, wAyLNJ.exe, 00000014.00000000.349686963.00000000005F2000.00000002.00020000.sdmp, wAyLNJ.exe, 00000018.00000000.373430772.0000000000C92000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: Sample Order.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                      Source: C:\Users\user\Desktop\Sample Order.exeFile read: C:\Users\user\Desktop\Sample Order.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Sample Order.exe 'C:\Users\user\Desktop\Sample Order.exe'
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Users\user\Desktop\Sample Order.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe 'C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe'
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path}
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Users\user\Desktop\Sample Order.exe {path}
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp'
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path}
                      Source: C:\Users\user\Desktop\Sample Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Sample Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Sample Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Sample Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Sample Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Sample Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Sample Order.exeStatic PE information: 0xDA92057D [Fri Mar 15 03:52:29 2086 UTC]
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_06ED170D push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 0_2_070988A8 pushfd ; iretd
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062F7A7A push es; retf
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_062FD0A1 push es; retf
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064ACA46 push es; ret
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A6E80 pushfd ; retf
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064A93C6 push es; ret
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_064AC9BE push es; ret
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_02FBDB6D push 8BD08B05h; iretd
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_06548530 push es; ret
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_0654CA61 push es; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.14748707063
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.14748707063
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.14748707063
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Sample Order.exeFile created: C:\Users\user\AppData\Roaming\OnUeAYnP.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
                      Source: C:\Users\user\Desktop\Sample Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJJump to behavior
                      Source: C:\Users\user\Desktop\Sample Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Sample Order.exeFile opened: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\Sample Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: Sample Order.exe PID: 5488, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wAyLNJ.exe PID: 6420, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sample Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sample Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Sample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\Sample Order.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sample Order.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sample Order.exeWindow / User API: threadDelayed 5626
                      Source: C:\Users\user\Desktop\Sample Order.exeWindow / User API: threadDelayed 4124
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWindow / User API: threadDelayed 3032
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWindow / User API: threadDelayed 6789
                      Source: C:\Users\user\Desktop\Sample Order.exe TID: 5484Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\Desktop\Sample Order.exe TID: 5484Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\Sample Order.exe TID: 5468Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Sample Order.exe TID: 4616Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 6424Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 6424Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 6492Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 4852Thread sleep time: -22136092888451448s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 768Thread sleep count: 3032 > 30
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe TID: 768Thread sleep count: 6789 > 30
                      Source: C:\Users\user\Desktop\Sample Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Sample Order.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\Desktop\Sample Order.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\Desktop\Sample Order.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Sample Order.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeThread delayed: delay time: 922337203685477
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: Sample Order.exe, 00000008.00000002.516890640.00000000069B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeCode function: 8_2_06470F08 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Sample Order.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Sample Order.exeMemory written: C:\Users\user\Desktop\Sample Order.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeMemory written: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
                      Source: C:\Users\user\Desktop\Sample Order.exeProcess created: C:\Users\user\Desktop\Sample Order.exe {path}
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp'
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeProcess created: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe {path}
                      Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Sample Order.exe, 00000008.00000002.506796854.0000000001BE0000.00000002.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.506815579.0000000001B20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Users\user\Desktop\Sample Order.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Users\user\Desktop\Sample Order.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Sample Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exeCode function: 24_2_06544FFC GetUserNameW,
                      Source: C:\Users\user\Desktop\Sample Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sample Order.exe PID: 5488, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wAyLNJ.exe PID: 6668, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wAyLNJ.exe PID: 6420, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sample Order.exe PID: 4452, type: MEMORY
                      Source: Yara matchFile source: 20.2.wAyLNJ.exe.3d01858.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.wAyLNJ.exe.3d01858.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sample Order.exe.3ca1858.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wAyLNJ.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sample Order.exe.3ca1858.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.Sample Order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sample Order.exe.3cd7a78.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sample Order.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sample Order.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Sample Order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Sample Order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Sample Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wAyLNJ.exe PID: 6668, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sample Order.exe PID: 4452, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sample Order.exe PID: 5488, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wAyLNJ.exe PID: 6668, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wAyLNJ.exe PID: 6420, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sample Order.exe PID: 4452, type: MEMORY
                      Source: Yara matchFile source: 20.2.wAyLNJ.exe.3d01858.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.wAyLNJ.exe.3d01858.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sample Order.exe.3ca1858.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wAyLNJ.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sample Order.exe.3ca1858.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.Sample Order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sample Order.exe.3cd7a78.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder1Scheduled Task/Job1Obfuscated Files or Information2Credentials in Registry1File and Directory Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScheduled Task/Job1Logon Script (Windows)Registry Run Keys / Startup Folder1Software Packing2Security Account ManagerSystem Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery221SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncVirtualization/Sandbox Evasion141Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404235 Sample: Sample Order.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 37 smtpauth.earthlink.net 2->37 53 Found malware configuration 2->53 55 Yara detected AgentTesla 2->55 57 Yara detected AntiVM3 2->57 59 6 other signatures 2->59 8 Sample Order.exe 6 2->8         started        12 wAyLNJ.exe 5 2->12         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\tmp8100.tmp, XML 8->29 dropped 31 C:\Users\user\AppData\Roaming\OnUeAYnP.exe, PE32 8->31 dropped 61 Injects a PE file into a foreign processes 8->61 14 Sample Order.exe 17 5 8->14         started        19 schtasks.exe 1 8->19         started        63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->65 21 schtasks.exe 1 12->21         started        23 wAyLNJ.exe 2 12->23         started        signatures6 process7 dnsIp8 39 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.165.85, 443, 49745 AMAZON-AESUS United States 14->39 41 192.168.2.1 unknown unknown 14->41 43 2 other IPs or domains 14->43 33 C:\Users\user\AppData\Roaming\...\wAyLNJ.exe, PE32 14->33 dropped 35 C:\Users\user\...\wAyLNJ.exe:Zone.Identifier, ASCII 14->35 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->45 47 Tries to steal Mail credentials (via file access) 14->47 49 Tries to harvest and steal browser information (history, passwords, etc) 14->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->51 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      24.2.wAyLNJ.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.Sample Order.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://DVEXLL.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comf37x0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      elb097307-934924932.us-east-1.elb.amazonaws.com
                      		54.225.165.85
                      		truefalse
                        		high
                        smtpauth.earthlink.net
                        		207.69.189.209
                        		truefalse
                          		high
                          api.ipify.org
                          		unknown
                          		unknownfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpfalse
                              		high
                              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://127.0.0.1:HTTP/1.1Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.apache.org/licenses/LICENSE-2.0Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comSample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                    		high
                                    http://DynDns.comDynDNSwAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://sectigo.com/CPS0Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/?Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://ocsp.sectigo.com0Sample Order.exe, 00000008.00000002.505914918.0000000001532000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://DVEXLL.comwAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.tiro.comwAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designerswAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.orgGETMozilla/5.0wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.orgSample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmpfalse
                                              		high
                                              http://fontfabrik.comSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                		high
                                                https://api.telegram.org/bot%telegramapi%/Sample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.galapagosdesign.com/DPleaseSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8Sample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comf37xSample Order.exe, 00000000.00000002.274019648.0000000000ED7000.00000004.00000040.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fonts.comSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleaseSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cnSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSample Order.exe, 00000000.00000002.274728200.0000000002961000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.377708747.00000000029C1000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.sakkal.comSample Order.exe, 00000000.00000002.281912036.0000000006AB2000.00000004.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.384883678.0000000005A90000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xSample Order.exe, 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSample Order.exe, 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Sample Order.exe, 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, wAyLNJ.exe, 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, wAyLNJ.exe, 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          54.225.165.85
                                                          		elb097307-934924932.us-east-1.elb.amazonaws.comUnited States
                                                          		14618AMAZON-AESUSfalse

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                          Analysis ID:404235
                                                          Start date:04.05.2021
                                                          Start time:20:29:26
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 13m 45s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:Sample Order.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:35
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@12/7@3/2
                                                          EGA Information:Failed
                                                          HDC Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 104.42.151.234, 23.54.113.53, 52.147.198.201, 104.43.193.48, 52.255.188.83, 23.57.80.111, 20.82.210.154, 92.122.213.194, 92.122.213.247, 93.184.221.240, 52.155.217.156, 20.54.26.129
                                                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/404235/sample/Sample Order.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          20:30:30API Interceptor585x Sleep call for process: Sample Order.exe modified
                                                          20:31:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJ C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe
                                                          20:31:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wAyLNJ C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe
                                                          20:31:18API Interceptor298x Sleep call for process: wAyLNJ.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          54.225.165.85FxHNFwShW0.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/?format=xml
                                                          Quot_466378-09.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          dzDuodOG0V.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/?format=xml
                                                          msals.dllGet hashmaliciousBrowse
                                                          • api.ipify.org/?format=xml

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          elb097307-934924932.us-east-1.elb.amazonaws.com2bb0000.exeGet hashmaliciousBrowse
                                                          • 50.16.249.42
                                                          2f50000.exeGet hashmaliciousBrowse
                                                          • 23.21.48.44
                                                          SecuriteInfo.com.Heur.31681.xlsGet hashmaliciousBrowse
                                                          • 54.243.154.178
                                                          3e98fa2d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          0429_1556521897736.doc_berd.dllGet hashmaliciousBrowse
                                                          • 54.225.169.203
                                                          e3d5e715_by_Libranalysis.exeGet hashmaliciousBrowse
                                                          • 54.243.121.36
                                                          8f66.xls.exeGet hashmaliciousBrowse
                                                          • 54.225.169.203
                                                          berd.b.dllGet hashmaliciousBrowse
                                                          • 23.21.48.44
                                                          0427_5079687843613.docGet hashmaliciousBrowse
                                                          • 107.22.233.72
                                                          SThy2G7fGR.exeGet hashmaliciousBrowse
                                                          • 50.19.216.111
                                                          if.ps1Get hashmaliciousBrowse
                                                          • 50.19.216.111
                                                          jers.dllGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          ac8e3612_by_Libranalysis.exeGet hashmaliciousBrowse
                                                          • 50.19.252.36
                                                          Onetap.com_Cracked_Auth_Bp_UPDATED_23.04.21.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          furmt.f.dllGet hashmaliciousBrowse
                                                          • 23.21.252.4
                                                          eGXZrIOs3P.exeGet hashmaliciousBrowse
                                                          • 54.235.175.90
                                                          ff.exeGet hashmaliciousBrowse
                                                          • 54.225.222.160
                                                          8s7bEDfYhT.exeGet hashmaliciousBrowse
                                                          • 54.225.155.255
                                                          8c6b2adbcdd8b7f0a0419fd08e5cbd0f7bc52cc702da4.exeGet hashmaliciousBrowse
                                                          • 107.22.233.72
                                                          smtpauth.earthlink.netPO19427.exeGet hashmaliciousBrowse
                                                          • 207.69.189.204
                                                          RECEIPT DHL.exeGet hashmaliciousBrowse
                                                          • 207.69.189.205
                                                          PO16388.exeGet hashmaliciousBrowse
                                                          • 207.69.189.206
                                                          PO17440.exeGet hashmaliciousBrowse
                                                          • 207.69.189.209
                                                          PO1055.exeGet hashmaliciousBrowse
                                                          • 207.69.189.207
                                                          PO10448.exeGet hashmaliciousBrowse
                                                          • 207.69.189.208
                                                          PO01044.exeGet hashmaliciousBrowse
                                                          • 207.69.189.205
                                                          PO123066.exeGet hashmaliciousBrowse
                                                          • 207.69.189.205
                                                          PO1228pdf.exeGet hashmaliciousBrowse
                                                          • 207.69.189.205
                                                          PO121856.exeGet hashmaliciousBrowse
                                                          • 207.69.189.208
                                                          DHL COPY.exeGet hashmaliciousBrowse
                                                          • 207.69.189.210
                                                          C5o57lBFrs.exeGet hashmaliciousBrowse
                                                          • 207.69.189.205
                                                          0y9m2LcCmp.exeGet hashmaliciousBrowse
                                                          • 207.69.189.206
                                                          uw7Xt03ZwG.exeGet hashmaliciousBrowse
                                                          • 207.69.189.203
                                                          Sample Order.exeGet hashmaliciousBrowse
                                                          • 207.69.189.202

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          AMAZON-AESUSPayment.xlsxGet hashmaliciousBrowse
                                                          • 54.156.162.121
                                                          presentation.jarGet hashmaliciousBrowse
                                                          • 34.202.206.65
                                                          presentation.jarGet hashmaliciousBrowse
                                                          • 34.202.206.65
                                                          heUGqZXAJv.exeGet hashmaliciousBrowse
                                                          • 50.17.5.224
                                                          2bb0000.exeGet hashmaliciousBrowse
                                                          • 50.16.249.42
                                                          2f50000.exeGet hashmaliciousBrowse
                                                          • 23.21.48.44
                                                          SecuriteInfo.com.Heur.31681.xlsGet hashmaliciousBrowse
                                                          • 54.243.154.178
                                                          MyUY1HeWNL.exeGet hashmaliciousBrowse
                                                          • 54.204.119.115
                                                          Documents_111651917_375818984.xlsGet hashmaliciousBrowse
                                                          • 54.163.9.216
                                                          detection.exeGet hashmaliciousBrowse
                                                          • 3.212.215.225
                                                          4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                          • 52.202.22.6
                                                          #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                                          • 23.21.53.13
                                                          OB74.vbsGet hashmaliciousBrowse
                                                          • 54.91.196.22
                                                          3e98fa2d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          file.exeGet hashmaliciousBrowse
                                                          • 3.223.115.185
                                                          Outstanding Payment Plan.xlsGet hashmaliciousBrowse
                                                          • 3.227.195.104
                                                          0429_1556521897736.doc_berd.dllGet hashmaliciousBrowse
                                                          • 54.225.169.203
                                                          KnAY2OIPI3Get hashmaliciousBrowse
                                                          • 54.161.176.221
                                                          Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                          • 3.223.115.185
                                                          pVrqrGltiL.exeGet hashmaliciousBrowse
                                                          • 3.233.171.147

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ed.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          d.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          d.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          d.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          2bb0000.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          2f50000.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          oiY37pLlj7.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          3ZtdRsbjxo.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          Oej1asjUTO.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          OK0n4zMIIm.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          BID6200306761.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          OverdueInvoice-PDF.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          SLIP.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          NeworderMay20212021-pdf.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          1hbYGZf6BQ.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          c89928a29ebf0c8c2acd7d9a457236e15d1a604d5c892.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          from-iso_RFQ___PU.EXE1__.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          80896e11_by_Libranalysis.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          Xerox Scan_07122020181109.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85
                                                          menXxRXr64.exeGet hashmaliciousBrowse
                                                          • 54.225.165.85

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sample Order.exe.log
                                                          Process:C:\Users\user\Desktop\Sample Order.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wAyLNJ.exe.log
                                                          Process:C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp
                                                          Process:C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1657
                                                          Entropy (8bit):5.168510869426027
                                                          Encrypted:false
                                                          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBRtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3p
                                                          MD5:58480DD89319E839621E894EF3259821
                                                          SHA1:E21BAA8814F20FD74F53A3DC0C3AC05C1C0E3FA5
                                                          SHA-256:DC33DF52253490D45B2131EACCCA2EC4B426833DC0BCA2FC98F9034A7EDB33C3
                                                          SHA-512:3F55934FDA0EE64696727DE286841D70436A6369938855698DCE5D033D75410691219355D6CD9BD7619A82233F2395A480F1F5B331F0CF50AD5A58E428EE3754
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                          C:\Users\user\AppData\Local\Temp\tmp8100.tmp
                                                          Process:C:\Users\user\Desktop\Sample Order.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1657
                                                          Entropy (8bit):5.168510869426027
                                                          Encrypted:false
                                                          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBRtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3p
                                                          MD5:58480DD89319E839621E894EF3259821
                                                          SHA1:E21BAA8814F20FD74F53A3DC0C3AC05C1C0E3FA5
                                                          SHA-256:DC33DF52253490D45B2131EACCCA2EC4B426833DC0BCA2FC98F9034A7EDB33C3
                                                          SHA-512:3F55934FDA0EE64696727DE286841D70436A6369938855698DCE5D033D75410691219355D6CD9BD7619A82233F2395A480F1F5B331F0CF50AD5A58E428EE3754
                                                          Malicious:true
                                                          Reputation:low
                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                          C:\Users\user\AppData\Roaming\OnUeAYnP.exe
                                                          Process:C:\Users\user\Desktop\Sample Order.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1027584
                                                          Entropy (8bit):7.140958849064524
                                                          Encrypted:false
                                                          SSDEEP:12288:aPbB4fWXY3Ot6InK1sLuNp+dM0kKg0D75wAPG+zETi/Pih2CV5R2DMajN2vZOmFb:afN2vsQ1oLAL+rdgUSzcr9Pr3fYM99U
                                                          MD5:72D643819882BAF6C48246024D4755D1
                                                          SHA1:EDC461E732F56CAA64C1CE4B02094FDD3D9AF99F
                                                          SHA-256:C590C197137574E792A991B5C56791B8F7CCCD4985D46B9F459FC6C39FDEB4AB
                                                          SHA-512:D54692E43D07CD232DF9B206C23DB1A8FB05FC1D7BA8C60C30CF68F46ABBC13CF18617867C5FDEDE8D89B5110F41D4E0F72A3C2ED4F2792301F0FAFECC2942AE
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.................0.............J.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...P.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................,.......H..................i....r..XN...........................................0...........r...p.+..*..0...........r!..p.+..*".(.....*.0..p.........r1..p..{....s......o.......s......o....r...p.o....o....&.o....&r...pr...p..@(....&.o...........o ...(!...&...*........]^.......0..c.........r...p..{....s......o.......s......o....r8..p.o....o....&.o....rF..p.o....o....&.o....rV..p.o....o....&.o....rf..p..o....o....&.o....rv..p..o"...o#...o....&.o....r...p..o....o....&.o....r...p..o$....
                                                          C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe
                                                          Process:C:\Users\user\Desktop\Sample Order.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1027584
                                                          Entropy (8bit):7.140958849064524
                                                          Encrypted:false
                                                          SSDEEP:12288:aPbB4fWXY3Ot6InK1sLuNp+dM0kKg0D75wAPG+zETi/Pih2CV5R2DMajN2vZOmFb:afN2vsQ1oLAL+rdgUSzcr9Pr3fYM99U
                                                          MD5:72D643819882BAF6C48246024D4755D1
                                                          SHA1:EDC461E732F56CAA64C1CE4B02094FDD3D9AF99F
                                                          SHA-256:C590C197137574E792A991B5C56791B8F7CCCD4985D46B9F459FC6C39FDEB4AB
                                                          SHA-512:D54692E43D07CD232DF9B206C23DB1A8FB05FC1D7BA8C60C30CF68F46ABBC13CF18617867C5FDEDE8D89B5110F41D4E0F72A3C2ED4F2792301F0FAFECC2942AE
                                                          Malicious:true
                                                          Reputation:low
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.................0.............J.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...P.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................,.......H..................i....r..XN...........................................0...........r...p.+..*..0...........r!..p.+..*".(.....*.0..p.........r1..p..{....s......o.......s......o....r...p.o....o....&.o....&r...pr...p..@(....&.o...........o ...(!...&...*........]^.......0..c.........r...p..{....s......o.......s......o....r8..p.o....o....&.o....rF..p.o....o....&.o....rV..p.o....o....&.o....rf..p..o....o....&.o....rv..p..o"...o#...o....&.o....r...p..o....o....&.o....r...p..o$....
                                                          C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe:Zone.Identifier
                                                          Process:C:\Users\user\Desktop\Sample Order.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview: [ZoneTransfer]....ZoneId=0

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.140958849064524
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:Sample Order.exe
                                                          File size:1027584
                                                          MD5:72d643819882baf6c48246024d4755d1
                                                          SHA1:edc461e732f56caa64c1ce4b02094fdd3d9af99f
                                                          SHA256:c590c197137574e792a991b5c56791b8f7cccd4985d46b9f459fc6c39fdeb4ab
                                                          SHA512:d54692e43d07cd232df9b206c23db1a8fb05fc1d7ba8c60c30cf68f46abbc13cf18617867c5fdede8d89b5110f41d4e0f72a3c2ed4f2792301f0fafecc2942ae
                                                          SSDEEP:12288:aPbB4fWXY3Ot6InK1sLuNp+dM0kKg0D75wAPG+zETi/Pih2CV5R2DMajN2vZOmFb:afN2vsQ1oLAL+rdgUSzcr9Pr3fYM99U
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.................0.............J.... ........@.. ....................... ............@................................

                                                          File Icon

                                                          Icon Hash:00828e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4fc14a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0xDA92057D [Fri Mar 15 03:52:29 2086 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xfc0f80x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x604.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xfc0dc0x1c.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xfa1500xfa200False0.619275323276data7.14748707063IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xfe0000x6040x800False0.33056640625data3.442123386IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x1000000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0xfe0900x374data
                                                          RT_MANIFEST0xfe4140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightCopyright 2019
                                                          Assembly Version1.0.0.0
                                                          InternalNameR0QTaaU57lgwlvp.exe
                                                          FileVersion1.0.0.0
                                                          CompanyName
                                                          LegalTrademarks
                                                          Comments
                                                          ProductNameHospitalManagementSystem
                                                          ProductVersion1.0.0.0
                                                          FileDescriptionHospitalManagementSystem
                                                          OriginalFilenameR0QTaaU57lgwlvp.exe

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          May 4, 2021 20:32:14.657835007 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:14.794311047 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:14.794464111 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:14.944673061 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:15.080727100 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.081146955 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.081177950 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.081199884 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.081214905 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.081254005 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:15.081312895 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:15.082535028 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.082566023 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.082684040 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:15.106251955 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:15.242754936 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.389569044 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:15.728473902 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:15.878981113 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:15.926398039 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:33.874614954 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:34.010678053 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:34.010718107 CEST4434974554.225.165.85192.168.2.7
                                                          May 4, 2021 20:32:34.010852098 CEST49745443192.168.2.754.225.165.85
                                                          May 4, 2021 20:32:34.010889053 CEST49745443192.168.2.754.225.165.85

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          May 4, 2021 20:30:08.858066082 CEST5856253192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:08.860856056 CEST53612428.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:08.908843040 CEST53585628.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:10.097419977 CEST5659053192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:10.148925066 CEST53565908.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:10.873898029 CEST6050153192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:10.933217049 CEST53605018.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:11.218646049 CEST5377553192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:11.269264936 CEST53537758.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:12.459719896 CEST5183753192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:12.511441946 CEST53518378.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:14.032279015 CEST5541153192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:14.089430094 CEST53554118.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:15.235475063 CEST6366853192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:15.297601938 CEST53636688.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:16.129601955 CEST5464053192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:16.180043936 CEST53546408.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:16.953202009 CEST5873953192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:17.002230883 CEST53587398.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:18.285514116 CEST6033853192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:18.336981058 CEST53603388.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:20.190808058 CEST5871753192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:20.242209911 CEST53587178.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:21.235343933 CEST5976253192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:21.285810947 CEST53597628.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:22.165676117 CEST5432953192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:22.214337111 CEST53543298.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:23.331059933 CEST5805253192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:23.379683971 CEST53580528.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:24.278430939 CEST5400853192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:24.340960026 CEST53540088.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:25.797188997 CEST5945153192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:25.845814943 CEST53594518.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:26.936392069 CEST5291453192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:26.989067078 CEST53529148.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:27.815330029 CEST6456953192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:27.866847992 CEST53645698.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:28.927364111 CEST5281653192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:28.976022005 CEST53528168.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:30.022737980 CEST5078153192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:30.071572065 CEST53507818.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:31.006349087 CEST5423053192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:31.055059910 CEST53542308.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:33.959883928 CEST5491153192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:34.023421049 CEST53549118.8.8.8192.168.2.7
                                                          May 4, 2021 20:30:47.864540100 CEST4995853192.168.2.78.8.8.8
                                                          May 4, 2021 20:30:47.915407896 CEST53499588.8.8.8192.168.2.7
                                                          May 4, 2021 20:31:00.323000908 CEST5086053192.168.2.78.8.8.8
                                                          May 4, 2021 20:31:00.391858101 CEST53508608.8.8.8192.168.2.7
                                                          May 4, 2021 20:31:04.054985046 CEST5045253192.168.2.78.8.8.8
                                                          May 4, 2021 20:31:04.109242916 CEST53504528.8.8.8192.168.2.7
                                                          May 4, 2021 20:31:33.836658001 CEST5973053192.168.2.78.8.8.8
                                                          May 4, 2021 20:31:33.885449886 CEST53597308.8.8.8192.168.2.7
                                                          May 4, 2021 20:31:40.126043081 CEST5931053192.168.2.78.8.8.8
                                                          May 4, 2021 20:31:40.178687096 CEST53593108.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:00.569900990 CEST5191953192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:00.631804943 CEST53519198.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:01.364115953 CEST6429653192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:01.421082973 CEST53642968.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:02.005837917 CEST5668053192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:02.055875063 CEST5882053192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:02.066869974 CEST53566808.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:02.114784002 CEST53588208.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:02.530379057 CEST6098353192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:02.590306044 CEST53609838.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:03.279875040 CEST4924753192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:03.328921080 CEST53492478.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:03.916090012 CEST5228653192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:03.973351955 CEST53522868.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:04.578849077 CEST5606453192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:04.715496063 CEST53560648.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:05.982620001 CEST6374453192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:06.094033957 CEST53637448.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:08.383146048 CEST6145753192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:08.467329979 CEST53614578.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:08.930804014 CEST5836753192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:09.063206911 CEST53583678.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:14.348215103 CEST6059953192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:14.402070045 CEST53605998.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:14.419312954 CEST5957153192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:14.468091965 CEST53595718.8.8.8192.168.2.7
                                                          May 4, 2021 20:32:33.872912884 CEST5268953192.168.2.78.8.8.8
                                                          May 4, 2021 20:32:33.922251940 CEST53526898.8.8.8192.168.2.7

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          May 4, 2021 20:32:14.348215103 CEST192.168.2.78.8.8.80x6aa9Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.419312954 CEST192.168.2.78.8.8.80x38d6Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.872912884 CEST192.168.2.78.8.8.80xe9afStandard query (0)smtpauth.earthlink.netA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.165.85A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.144.221A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.216.111A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.242.215A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.402070045 CEST8.8.8.8192.168.2.70x6aa9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.96.218A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.165.85A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.144.221A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.216.111A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.242.215A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:14.468091965 CEST8.8.8.8192.168.2.70x38d6No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.96.218A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.209A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.210A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.201A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.202A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.203A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.204A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.205A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.206A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.207A (IP address)IN (0x0001)
                                                          May 4, 2021 20:32:33.922251940 CEST8.8.8.8192.168.2.70xe9afNo error (0)smtpauth.earthlink.net207.69.189.208A (IP address)IN (0x0001)

                                                          HTTPS Packets

                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                          May 4, 2021 20:32:15.082566023 CEST54.225.165.85443192.168.2.749745CN=*.ipify.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Jan 19 01:00:00 CET 2021 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019 Thu Jan 01 01:00:00 CET 2004Sun Feb 20 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                          CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                          CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                          CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                          Code Manipulations

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: Sample Order.exe PID: 5488 Parent PID: 5700

                                                          General

                                                          Start time:20:30:16
                                                          Start date:04/05/2021
                                                          Path:C:\Users\user\Desktop\Sample Order.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\Sample Order.exe'
                                                          Imagebase:0x520000
                                                          File size:1027584 bytes
                                                          MD5 hash:72D643819882BAF6C48246024D4755D1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.277083861.0000000003BFF000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Analysis Process: schtasks.exe PID: 5828 Parent PID: 5488

                                                          General

                                                          Start time:20:30:33
                                                          Start date:04/05/2021
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp8100.tmp'
                                                          Imagebase:0xd60000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 5784 Parent PID: 5828

                                                          General

                                                          Start time:20:30:35
                                                          Start date:04/05/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff774ee0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: Sample Order.exe PID: 4452 Parent PID: 5488

                                                          General

                                                          Start time:20:30:35
                                                          Start date:04/05/2021
                                                          Path:C:\Users\user\Desktop\Sample Order.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:{path}
                                                          Imagebase:0xc60000
                                                          File size:1027584 bytes
                                                          MD5 hash:72D643819882BAF6C48246024D4755D1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.508711336.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.500306866.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Analysis Process: wAyLNJ.exe PID: 6420 Parent PID: 3292

                                                          General

                                                          Start time:20:31:11
                                                          Start date:04/05/2021
                                                          Path:C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe'
                                                          Imagebase:0x5f0000
                                                          File size:1027584 bytes
                                                          MD5 hash:72D643819882BAF6C48246024D4755D1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.380533904.0000000003C5F000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Analysis Process: schtasks.exe PID: 6616 Parent PID: 6420

                                                          General

                                                          Start time:20:31:21
                                                          Start date:04/05/2021
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OnUeAYnP' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F4E.tmp'
                                                          Imagebase:0xa30000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 6632 Parent PID: 6616

                                                          General

                                                          Start time:20:31:22
                                                          Start date:04/05/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff774ee0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: wAyLNJ.exe PID: 6668 Parent PID: 6420

                                                          General

                                                          Start time:20:31:23
                                                          Start date:04/05/2021
                                                          Path:C:\Users\user\AppData\Roaming\wAyLNJ\wAyLNJ.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:{path}
                                                          Imagebase:0xc90000
                                                          File size:1027584 bytes
                                                          MD5 hash:72D643819882BAF6C48246024D4755D1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.500770724.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.507502345.0000000003181000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >