Loading ...

Play interactive tourEdit tour

Analysis Report ashleyx.exe

Overview

General Information

Sample Name:ashleyx.exe
Analysis ID:404252
MD5:34d4452c1b344685e3f5fd7d0e9640a1
SHA1:bb42e71329d2ad4baff54600020eb7053cc53026
SHA256:65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ashleyx.exe (PID: 7048 cmdline: 'C:\Users\user\Desktop\ashleyx.exe' MD5: 34D4452C1B344685E3F5FD7D0E9640A1)
    • ashleyx.exe (PID: 2204 cmdline: {path} MD5: 34D4452C1B344685E3F5FD7D0E9640A1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "logs@phuboatrading-vn.comof2ZCW1li4ipTfyEsmtp.phuboatrading-vn.commylogs@phuboatrading-vn.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.680319941.00000000040C9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.ashleyx.exe.4d757b8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.ashleyx.exe.4d15598.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.ashleyx.exe.43c7e50.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.ashleyx.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.ashleyx.exe.4d757b8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.ashleyx.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "logs@phuboatrading-vn.comof2ZCW1li4ipTfyEsmtp.phuboatrading-vn.commylogs@phuboatrading-vn.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ashleyx.exeVirustotal: Detection: 30%Perma Link
                      Source: ashleyx.exeReversingLabs: Detection: 40%
                      Machine Learning detection for sampleShow sources
                      Source: ashleyx.exeJoe Sandbox ML: detected
                      Source: 4.2.ashleyx.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: ashleyx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ashleyx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49763 -> 79.141.164.23:25
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 79.141.164.23:25
                      Source: Joe Sandbox ViewASN Name: HZ-NL-ASGB HZ-NL-ASGB
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 79.141.164.23:25
                      Source: unknownDNS traffic detected: queries for: smtp.phuboatrading-vn.com
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmp, ashleyx.exe, 00000004.00000002.913746975.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: http://fl3gHqcqlp4Nk7qizX.net
                      Source: ashleyx.exe, 00000004.00000003.884379101.0000000001494000.00000004.00000001.sdmpString found in binary or memory: http://fl3gHqcqlp4Nk7qizX.net853321935-2125563209-4053062332-1002_Classes
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: ashleyx.exe, 00000004.00000002.913712228.00000000035BF000.00000004.00000001.sdmpString found in binary or memory: http://smtp.phuboatrading-vn.com
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://wcmZQs.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: ashleyx.exe, 00000000.00000003.652269015.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com3
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comIta
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comS
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ashleyx.exe, 00000000.00000003.651354790.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.655202893.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ashleyx.exe, 00000000.00000003.653202861.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
                      Source: ashleyx.exe, 00000000.00000003.653135407.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ashleyx.exe, 00000000.00000003.654413827.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.653796968.00000000060BF000.00000004.00000001.sdmp, ashleyx.exe, 00000000.00000003.653743073.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: ashleyx.exe, 00000000.00000003.654739623.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0._
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.653796968.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ashleyx.exe, 00000000.00000003.655202893.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                      Source: ashleyx.exe, 00000000.00000003.653569256.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersf
                      Source: ashleyx.exe, 00000000.00000003.661342053.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersivf
                      Source: ashleyx.exe, 00000000.00000003.655147245.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersk
                      Source: ashleyx.exe, 00000000.00000003.653448509.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                      Source: ashleyx.exe, 00000000.00000002.685099190.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: ashleyx.exe, 00000000.00000002.685099190.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comocK
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                      Source: ashleyx.exe, 00000000.00000003.651004266.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ashleyx.exe, 00000000.00000003.656978899.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmu
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmp, ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/DK
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/VK
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Al
                      Source: ashleyx.exe, 00000000.00000003.651990337.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0YK
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: ashleyx.exe, 00000000.00000003.652217428.0000000006098000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/8
                      Source: ashleyx.exe, 00000000.00000003.651812477.0000000006095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nt
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ashleyx.exe, 00000000.00000003.651493647.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                      Source: ashleyx.exe, 00000000.00000003.651493647.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coms
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ashleyx.exe, 00000000.00000003.653067561.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: ashleyx.exe, 00000000.00000003.655452602.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.gd
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ashleyx.exe, 00000000.00000002.685132707.0000000006180000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: ashleyx.exe, 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmp, ashleyx.exe, 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: ashleyx.exe, 00000004.00000002.913258103.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\ashleyx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\ashleyx.exeJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.ashleyx.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE585CFC4u002d35D4u002d406Au002d9AC8u002d03651886402Cu007d/u003704BD87Au002dC313u002d43EFu002d8C88u002d22424C2E14F6.csLarge array initialization: .cctor: array initializer size 11998
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F9C6B40_2_02F9C6B4
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F9F0580_2_02F9F058
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F9F04B0_2_02F9F04B
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B14EF80_2_07B14EF8
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B125A00_2_07B125A0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B120A00_2_07B120A0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B100400_2_07B10040
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117FE0_2_07B117FE
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117EB0_2_07B117EB
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117010_2_07B11701
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B117480_2_07B11748
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B14EE80_2_07B14EE8
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B163D00_2_07B163D0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B163CA0_2_07B163CA
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B12A900_2_07B12A90
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B12A820_2_07B12A82
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B120910_2_07B12091
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B148E00_2_07B148E0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B148D00_2_07B148D0
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B110D80_2_07B110D8
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B110C60_2_07B110C6
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B100060_2_07B10006
                      Source: ashleyx.exeBinary or memory string: OriginalFilename vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.674739447.0000000000D42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRZVF0aMBAABaAKZ.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.683944483.0000000004D15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHKVWIQPkNrvsqpVPAUZtDZufQcU.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.675756207.00000000030C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs ashleyx.exe
                      Source: ashleyx.exe, 00000000.00000002.686459066.0000000008EB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.911793295.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHKVWIQPkNrvsqpVPAUZtDZufQcU.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.912671645.0000000001720000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.911855636.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRZVF0aMBAABaAKZ.exe4 vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.912034930.0000000001358000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ashleyx.exe
                      Source: ashleyx.exe, 00000004.00000002.917875823.0000000006AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ashleyx.exe
                      Source: ashleyx.exeBinary or memory string: OriginalFilenameRZVF0aMBAABaAKZ.exe4 vs ashleyx.exe
                      Source: ashleyx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 4.2.ashleyx.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.ashleyx.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                      Source: C:\Users\user\Desktop\ashleyx.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ashleyx.exe.logJump to behavior
                      Source: ashleyx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\ashleyx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: ashleyx.exe, 00000000.00000002.674739447.0000000000D42000.00000002.00020000.sdmp, ashleyx.exe, 00000004.00000002.911855636.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: UPDATE centro_comercial.loja SET Contacto = @Contacto, Nome_comercial = @Nome_comercial, Renda = @Renda, Tipo = @Tipo, Area = @Area, Num_gerente = @Num_gerente, NIF_empresa = @NIF_empresa WHERE Num_loja = @Num_lojamDELETE centro_comercial.loja WHERE Num_loja=@Num_loja;
                      Source: ashleyx.exeVirustotal: Detection: 30%
                      Source: ashleyx.exeReversingLabs: Detection: 40%
                      Source: unknownProcess created: C:\Users\user\Desktop\ashleyx.exe 'C:\Users\user\Desktop\ashleyx.exe'
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess created: C:\Users\user\Desktop\ashleyx.exe {path}
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess created: C:\Users\user\Desktop\ashleyx.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: ashleyx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: ashleyx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: ashleyx.exeStatic PE information: 0x9C58D04F [Thu Feb 13 13:29:51 2053 UTC]
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F98233 push 10056379h; ret 0_2_02F9823D
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_02F91C8B push ebx; iretd 0_2_02F91C7A
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B10695 push eax; iretd 0_2_07B10696
                      Source: C:\Users\user\Desktop\ashleyx.exeCode function: 0_2_07B1A19D push FFFFFF8Bh; iretd 0_2_07B1A19F
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.27698416733
                      Source: C:\Users\user\Desktop\ashleyx.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: ashleyx.exe PID: 7048, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWindow / User API: threadDelayed 1760Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWindow / User API: threadDelayed 8089Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 7052Thread sleep time: -31500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 7068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 6848Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 6772Thread sleep count: 1760 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exe TID: 6772Thread sleep count: 8089 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 31500Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: ashleyx.exe, 00000000.00000002.675932328.0000000003128000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: ashleyx.exe, 00000004.00000002.917649863.00000000067D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ashleyx.exeMemory written: C:\Users\user\Desktop\ashleyx.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeProcess created: C:\Users\user\Desktop\ashleyx.exe {path}Jump to behavior
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: ashleyx.exe, 00000004.00000002.912943938.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Users\user\Desktop\ashleyx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ashleyx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInform