Windows Analysis Report New Order4687334.exe

Overview

General Information

Sample Name: New Order4687334.exe
Analysis ID: 532631
MD5: abc0d5990e243c73bcb0ef52f113c9c8
SHA1: a62d9e6614ab925a6ec5ec1d8c8abeb44cf51ef0
SHA256: b8baaf727f8da89fe81122fd5c93c3d34b7f3f78ae90403309d7d335e0bb3792
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 15.0.New Order4687334.exe.400000.6.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1898999986", "Chat URL": "https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocument"}
Source: New Order4687334.exe.6184.15.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendMessage"}
Multi AV Scanner detection for submitted file
Source: New Order4687334.exe Virustotal: Detection: 41% Perma Link
Source: New Order4687334.exe ReversingLabs: Detection: 37%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\lGBqbwYsd.exe ReversingLabs: Detection: 37%
Antivirus or Machine Learning detection for unpacked file
Source: 15.0.New Order4687334.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.New Order4687334.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 15.2.New Order4687334.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.New Order4687334.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.New Order4687334.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.New Order4687334.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: New Order4687334.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: New Order4687334.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: New Order4687334.exe, 0000000F.00000002.534532246.000000000336C000.00000004.00000001.sdmp String found in binary or memory: http://api.telegram.org
Source: New Order4687334.exe, 0000000F.00000002.532829040.00000000012B0000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://psZqXY.com
Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534532246.000000000336C000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534476274.0000000003352000.00000004.00000001.sdmp String found in binary or memory: http://xd9iIaiS4bffM0SeD.com
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org
Source: New Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, New Order4687334.exe, 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/
Source: New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocument
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocumentdocument-----
Source: New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org4ol
Source: New Order4687334.exe, 0000000F.00000002.534709897.00000000033A6000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.orgD8ol
Source: New Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, New Order4687334.exe, 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: api.telegram.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\New Order4687334.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Order4687334.exe
.NET source code contains very large array initializations
Source: 15.0.New Order4687334.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b22A533B5u002dD43Au002d4F70u002dA411u002d1006D30E89A3u007d/u0033FB20675u002d5C8Au002d4C8Du002dB735u002d4258DA9C53F3.cs Large array initialization: .cctor: array initializer size 12026
Source: 15.2.New Order4687334.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22A533B5u002dD43Au002d4F70u002dA411u002d1006D30E89A3u007d/u0033FB20675u002d5C8Au002d4C8Du002dB735u002d4258DA9C53F3.cs Large array initialization: .cctor: array initializer size 12026
Uses 32bit PE files
Source: New Order4687334.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_00A52C66 1_2_00A52C66
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_0126E76A 1_2_0126E76A
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_0126E778 1_2_0126E778
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_0126BDC4 1_2_0126BDC4
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_00A52050 1_2_00A52050
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_00B12C66 15_2_00B12C66
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_01326198 15_2_01326198
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_013268D0 15_2_013268D0
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_01325B60 15_2_01325B60
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_01324D3D 15_2_01324D3D
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132B527 15_2_0132B527
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132C110 15_2_0132C110
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132D516 15_2_0132D516
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132B109 15_2_0132B109
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132D58A 15_2_0132D58A
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132B589 15_2_0132B589
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132D5FA 15_2_0132D5FA
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132B836 15_2_0132B836
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_01324C0D 15_2_01324C0D
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132D486 15_2_0132D486
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132D4F2 15_2_0132D4F2
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132B4DF 15_2_0132B4DF
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_01323BC7 15_2_01323BC7
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_01324A68 15_2_01324A68
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_013F4800 15_2_013F4800
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_013F4710 15_2_013F4710
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_013FD8A1 15_2_013FD8A1
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_00B12050 15_2_00B12050
Sample file is different than original file name gathered from version info
Source: New Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamebLovAOHPCmcvaneJbXyAVBQvawZcGDkAOrRYWFe.exe4 vs New Order4687334.exe
Source: New Order4687334.exe, 00000001.00000000.263101037.0000000000B00000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameHasCopySemanticsAttribu.exeB vs New Order4687334.exe
Source: New Order4687334.exe, 00000001.00000002.319156306.00000000055D0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs New Order4687334.exe
Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs New Order4687334.exe
Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamebLovAOHPCmcvaneJbXyAVBQvawZcGDkAOrRYWFe.exe4 vs New Order4687334.exe
Source: New Order4687334.exe, 00000001.00000002.319540495.00000000061C0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs New Order4687334.exe
Source: New Order4687334.exe, 00000001.00000003.267389204.000000000405A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs New Order4687334.exe
Source: New Order4687334.exe, 0000000F.00000000.312177342.0000000000BC0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameHasCopySemanticsAttribu.exeB vs New Order4687334.exe
Source: New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamebLovAOHPCmcvaneJbXyAVBQvawZcGDkAOrRYWFe.exe4 vs New Order4687334.exe
Source: New Order4687334.exe, 0000000F.00000002.532370684.00000000011F9000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs New Order4687334.exe
Source: New Order4687334.exe, 0000000F.00000002.531127500.0000000000F68000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order4687334.exe
Source: New Order4687334.exe Binary or memory string: OriginalFilenameHasCopySemanticsAttribu.exeB vs New Order4687334.exe
PE file contains strange resources
Source: New Order4687334.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lGBqbwYsd.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Order4687334.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lGBqbwYsd.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: New Order4687334.exe Virustotal: Detection: 41%
Source: New Order4687334.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\New Order4687334.exe File read: C:\Users\user\Desktop\New Order4687334.exe Jump to behavior
Source: New Order4687334.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order4687334.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Order4687334.exe "C:\Users\user\Desktop\New Order4687334.exe"
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Users\user\Desktop\New Order4687334.exe C:\Users\user\Desktop\New Order4687334.exe
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Users\user\Desktop\New Order4687334.exe C:\Users\user\Desktop\New Order4687334.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order4687334.exe File created: C:\Users\user\AppData\Roaming\lGBqbwYsd.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe File created: C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/8@1/0
Source: C:\Users\user\Desktop\New Order4687334.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
Source: C:\Users\user\Desktop\New Order4687334.exe Mutant created: \Sessions\1\BaseNamedObjects\kNBGhgzUpwTPbWqNEfFgvION
Source: 15.0.New Order4687334.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.New Order4687334.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.New Order4687334.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.New Order4687334.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\New Order4687334.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: New Order4687334.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New Order4687334.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: New Order4687334.exe, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: lGBqbwYsd.exe.1.dr, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.New Order4687334.exe.a50000.0.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.New Order4687334.exe.a50000.0.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.New Order4687334.exe.b10000.1.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.New Order4687334.exe.b10000.7.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.New Order4687334.exe.b10000.2.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.New Order4687334.exe.b10000.9.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.New Order4687334.exe.b10000.0.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_00A542BF push ss; iretd 1_2_00A542F6
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_00A5424F push es; iretd 1_2_00A5425C
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 1_2_0126E768 pushfd ; ret 1_2_0126E769
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_00B142BF push ss; iretd 15_2_00B142F6
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_00B1424F push es; iretd 15_2_00B1425C
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132E53B push esp; retf 15_2_0132E546
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132D41A push ecx; retf 15_2_0132D421
Source: C:\Users\user\Desktop\New Order4687334.exe Code function: 15_2_0132D3FA push ecx; retf 15_2_0132D415
Source: initial sample Static PE information: section name: .text entropy: 7.85496996134
Source: initial sample Static PE information: section name: .text entropy: 7.85496996134

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\New Order4687334.exe File created: C:\Users\user\AppData\Roaming\lGBqbwYsd.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\New Order4687334.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.New Order4687334.exe.2fc1430.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: New Order4687334.exe, 00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmp, New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: New Order4687334.exe, 00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmp, New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New Order4687334.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New Order4687334.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Order4687334.exe TID: 2188 Thread sleep time: -34764s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe TID: 668 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe TID: 6188 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe TID: 1808 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe TID: 6716 Thread sleep count: 2762 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe TID: 6716 Thread sleep count: 7081 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New Order4687334.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6720 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1929 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Window / User API: threadDelayed 2762 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Window / User API: threadDelayed 7081 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New Order4687334.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order4687334.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Thread delayed: delay time: 34764 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: New Order4687334.exe, 0000000F.00000002.532678130.0000000001262000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]M
Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\New Order4687334.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Process created: C:\Users\user\Desktop\New Order4687334.exe C:\Users\user\Desktop\New Order4687334.exe Jump to behavior
Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Users\user\Desktop\New Order4687334.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Users\user\Desktop\New Order4687334.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order4687334.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 1.2.New Order4687334.exe.41e0718.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order4687334.exe.4216938.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order4687334.exe.4216938.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order4687334.exe.41e0718.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.New Order4687334.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.311127679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.312585278.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 1.2.New Order4687334.exe.41e0718.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order4687334.exe.4216938.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order4687334.exe.4216938.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order4687334.exe.41e0718.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.New Order4687334.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.New Order4687334.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.311127679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.312585278.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR
No contacted IP infos