Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report New Order4687334.exe

Overview

General Information

Sample Name:New Order4687334.exe
Analysis ID:532631
MD5:abc0d5990e243c73bcb0ef52f113c9c8
SHA1:a62d9e6614ab925a6ec5ec1d8c8abeb44cf51ef0
SHA256:b8baaf727f8da89fe81122fd5c93c3d34b7f3f78ae90403309d7d335e0bb3792
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • New Order4687334.exe (PID: 4548 cmdline: "C:\Users\user\Desktop\New Order4687334.exe" MD5: ABC0D5990E243C73BCB0EF52F113C9C8)
    • powershell.exe (PID: 6580 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7064 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • New Order4687334.exe (PID: 6184 cmdline: C:\Users\user\Desktop\New Order4687334.exe MD5: ABC0D5990E243C73BCB0EF52F113C9C8)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1898999986", "Chat URL": "https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.New Order4687334.exe.41e0718.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.New Order4687334.exe.41e0718.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.New Order4687334.exe.4216938.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.New Order4687334.exe.4216938.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.New Order4687334.exe.4216938.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Order4687334.exe" , ParentImage: C:\Users\user\Desktop\New Order4687334.exe, ParentProcessId: 4548, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp, ProcessId: 7064
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Order4687334.exe" , ParentImage: C:\Users\user\Desktop\New Order4687334.exe, ParentProcessId: 4548, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe, ProcessId: 6580
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Order4687334.exe" , ParentImage: C:\Users\user\Desktop\New Order4687334.exe, ParentProcessId: 4548, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe, ProcessId: 6580
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132829607429420790.6580.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.0.New Order4687334.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1898999986", "Chat URL": "https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocument"}
                      Source: New Order4687334.exe.6184.15.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendMessage"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: New Order4687334.exeVirustotal: Detection: 41%Perma Link
                      Source: New Order4687334.exeReversingLabs: Detection: 37%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\lGBqbwYsd.exeReversingLabs: Detection: 37%
                      Source: 15.0.New Order4687334.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 15.0.New Order4687334.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 15.2.New Order4687334.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 15.0.New Order4687334.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 15.0.New Order4687334.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 15.0.New Order4687334.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: New Order4687334.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: New Order4687334.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: New Order4687334.exe, 0000000F.00000002.534532246.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: New Order4687334.exe, 0000000F.00000002.532829040.00000000012B0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://psZqXY.com
                      Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534532246.000000000336C000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534476274.0000000003352000.00000004.00000001.sdmpString found in binary or memory: http://xd9iIaiS4bffM0SeD.com
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: New Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, New Order4687334.exe, 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/
                      Source: New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocument
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocumentdocument-----
                      Source: New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4ol
                      Source: New Order4687334.exe, 0000000F.00000002.534709897.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgD8ol
                      Source: New Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, New Order4687334.exe, 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: C:\Users\user\Desktop\New Order4687334.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: New Order4687334.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 15.0.New Order4687334.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b22A533B5u002dD43Au002d4F70u002dA411u002d1006D30E89A3u007d/u0033FB20675u002d5C8Au002d4C8Du002dB735u002d4258DA9C53F3.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 15.2.New Order4687334.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22A533B5u002dD43Au002d4F70u002dA411u002d1006D30E89A3u007d/u0033FB20675u002d5C8Au002d4C8Du002dB735u002d4258DA9C53F3.csLarge array initialization: .cctor: array initializer size 12026
                      Source: New Order4687334.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_00A52C66
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_0126E76A
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_0126E778
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_0126BDC4
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_00A52050
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_00B12C66
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_01326198
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_013268D0
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_01325B60
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_01324D3D
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132B527
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132C110
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132D516
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132B109
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132D58A
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132B589
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132D5FA
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132B836
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_01324C0D
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132D486
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132D4F2
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132B4DF
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_01323BC7
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_01324A68
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_013F4800
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_013F4710
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_013FD8A1
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_00B12050
                      Source: New Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebLovAOHPCmcvaneJbXyAVBQvawZcGDkAOrRYWFe.exe4 vs New Order4687334.exe
                      Source: New Order4687334.exe, 00000001.00000000.263101037.0000000000B00000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHasCopySemanticsAttribu.exeB vs New Order4687334.exe
                      Source: New Order4687334.exe, 00000001.00000002.319156306.00000000055D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs New Order4687334.exe
                      Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs New Order4687334.exe
                      Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebLovAOHPCmcvaneJbXyAVBQvawZcGDkAOrRYWFe.exe4 vs New Order4687334.exe
                      Source: New Order4687334.exe, 00000001.00000002.319540495.00000000061C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs New Order4687334.exe
                      Source: New Order4687334.exe, 00000001.00000003.267389204.000000000405A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs New Order4687334.exe
                      Source: New Order4687334.exe, 0000000F.00000000.312177342.0000000000BC0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHasCopySemanticsAttribu.exeB vs New Order4687334.exe
                      Source: New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamebLovAOHPCmcvaneJbXyAVBQvawZcGDkAOrRYWFe.exe4 vs New Order4687334.exe
                      Source: New Order4687334.exe, 0000000F.00000002.532370684.00000000011F9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Order4687334.exe
                      Source: New Order4687334.exe, 0000000F.00000002.531127500.0000000000F68000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order4687334.exe
                      Source: New Order4687334.exeBinary or memory string: OriginalFilenameHasCopySemanticsAttribu.exeB vs New Order4687334.exe
                      Source: New Order4687334.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lGBqbwYsd.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: New Order4687334.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: lGBqbwYsd.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: New Order4687334.exeVirustotal: Detection: 41%
                      Source: New Order4687334.exeReversingLabs: Detection: 37%
                      Source: C:\Users\user\Desktop\New Order4687334.exeFile read: C:\Users\user\Desktop\New Order4687334.exeJump to behavior
                      Source: New Order4687334.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\New Order4687334.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\New Order4687334.exe "C:\Users\user\Desktop\New Order4687334.exe"
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Users\user\Desktop\New Order4687334.exe C:\Users\user\Desktop\New Order4687334.exe
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Users\user\Desktop\New Order4687334.exe C:\Users\user\Desktop\New Order4687334.exe
                      Source: C:\Users\user\Desktop\New Order4687334.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\New Order4687334.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\New Order4687334.exeFile created: C:\Users\user\AppData\Roaming\lGBqbwYsd.exeJump to behavior
                      Source: C:\Users\user\Desktop\New Order4687334.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4E0D.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@9/8@1/0
                      Source: C:\Users\user\Desktop\New Order4687334.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\New Order4687334.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\New Order4687334.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
                      Source: C:\Users\user\Desktop\New Order4687334.exeMutant created: \Sessions\1\BaseNamedObjects\kNBGhgzUpwTPbWqNEfFgvION
                      Source: 15.0.New Order4687334.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.0.New Order4687334.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.2.New Order4687334.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.2.New Order4687334.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\New Order4687334.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: New Order4687334.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: New Order4687334.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: New Order4687334.exe, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: lGBqbwYsd.exe.1.dr, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.New Order4687334.exe.a50000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.New Order4687334.exe.a50000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 15.2.New Order4687334.exe.b10000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 15.0.New Order4687334.exe.b10000.7.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 15.0.New Order4687334.exe.b10000.2.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 15.0.New Order4687334.exe.b10000.9.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 15.0.New Order4687334.exe.b10000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_00A542BF push ss; iretd
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_00A5424F push es; iretd
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 1_2_0126E768 pushfd ; ret
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_00B142BF push ss; iretd
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_00B1424F push es; iretd
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132E53B push esp; retf
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132D41A push ecx; retf
                      Source: C:\Users\user\Desktop\New Order4687334.exeCode function: 15_2_0132D3FA push ecx; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85496996134
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85496996134
                      Source: C:\Users\user\Desktop\New Order4687334.exeFile created: C:\Users\user\AppData\Roaming\lGBqbwYsd.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp
                      Source: C:\Users\user\Desktop\New Order4687334.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.2fc1430.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: New Order4687334.exe, 00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmp, New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: New Order4687334.exe, 00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmp, New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\New Order4687334.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\New Order4687334.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\New Order4687334.exe TID: 2188Thread sleep time: -34764s >= -30000s
                      Source: C:\Users\user\Desktop\New Order4687334.exe TID: 668Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\New Order4687334.exe TID: 6188Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Users\user\Desktop\New Order4687334.exe TID: 1808Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\Desktop\New Order4687334.exe TID: 6716Thread sleep count: 2762 > 30
                      Source: C:\Users\user\Desktop\New Order4687334.exe TID: 6716Thread sleep count: 7081 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\New Order4687334.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\New Order4687334.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\New Order4687334.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6720
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1929
                      Source: C:\Users\user\Desktop\New Order4687334.exeWindow / User API: threadDelayed 2762
                      Source: C:\Users\user\Desktop\New Order4687334.exeWindow / User API: threadDelayed 7081
                      Source: C:\Users\user\Desktop\New Order4687334.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeThread delayed: delay time: 34764
                      Source: C:\Users\user\Desktop\New Order4687334.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\New Order4687334.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\New Order4687334.exeThread delayed: delay time: 922337203685477
                      Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: New Order4687334.exe, 0000000F.00000002.532678130.0000000001262000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]M
                      Source: New Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\New Order4687334.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp
                      Source: C:\Users\user\Desktop\New Order4687334.exeProcess created: C:\Users\user\Desktop\New Order4687334.exe C:\Users\user\Desktop\New Order4687334.exe
                      Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                      Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: New Order4687334.exe, 0000000F.00000002.533912150.0000000001AE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Users\user\Desktop\New Order4687334.exe VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Users\user\Desktop\New Order4687334.exe VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\New Order4687334.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.41e0718.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.4216938.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.4216938.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.41e0718.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.New Order4687334.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.311127679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.312585278.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR
                      Source: Yara matchFile source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.41e0718.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.4216938.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.4216938.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.New Order4687334.exe.41e0718.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.New Order4687334.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.New Order4687334.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.311127679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.312585278.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 4548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: New Order4687334.exe PID: 6184, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery311Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532631 Sample: New Order4687334.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 28 api.telegram.org 2->28 30 Found malware configuration 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 14 other signatures 2->36 8 New Order4687334.exe 7 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\Roaming\lGBqbwYsd.exe, PE32 8->22 dropped 24 C:\Users\user\AppData\Local\...\tmp4E0D.tmp, XML 8->24 dropped 26 C:\Users\user\...26ew Order4687334.exe.log, ASCII 8->26 dropped 38 Adds a directory exclusion to Windows Defender 8->38 12 powershell.exe 25 8->12         started        14 schtasks.exe 1 8->14         started        16 New Order4687334.exe 2 8->16         started        signatures6 process7 process8 18 conhost.exe 12->18         started        20 conhost.exe 14->20         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      New Order4687334.exe41%VirustotalBrowse
                      New Order4687334.exe38%ReversingLabsWin32.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\lGBqbwYsd.exe38%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      15.0.New Order4687334.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      15.0.New Order4687334.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      15.2.New Order4687334.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      15.0.New Order4687334.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      15.0.New Order4687334.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      15.0.New Order4687334.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://psZqXY.com2%VirustotalBrowse
                      http://psZqXY.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.telegram.orgD8ol0%Avira URL Cloudsafe
                      http://xd9iIaiS4bffM0SeD.com0%Avira URL Cloudsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://api.telegram.org4ol0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://DynDns.comDynDNSNew Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.orgNew Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haNew Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://psZqXY.comNew Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocumentdocument-----New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpfalse
                            		high
                            https://api.ipify.org%GETMozilla/5.0New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		low
                            https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/New Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, New Order4687334.exe, 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmpfalse
                              		high
                              https://api.telegram.orgD8olNew Order4687334.exe, 0000000F.00000002.534709897.00000000033A6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://xd9iIaiS4bffM0SeD.comNew Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534532246.000000000336C000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534476274.0000000003352000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://api.telegram.orgNew Order4687334.exe, 0000000F.00000002.534532246.000000000336C000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew Order4687334.exe, 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpfalse
                                  		high
                                  https://api.ipify.org%New Order4687334.exe, 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipNew Order4687334.exe, 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, New Order4687334.exe, 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, New Order4687334.exe, 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.org/bot5074572303:AAE8ZKRzrDBFdUptPX0s5TohA3XJtaS_H_8/sendDocumentNew Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpfalse
                                    		high
                                    https://api.telegram.org4olNew Order4687334.exe, 0000000F.00000002.534496680.0000000003358000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:532631
                                    Start date:02.12.2021
                                    Start time:15:17:45
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 40s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:New Order4687334.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:28
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@9/8@1/0
                                    EGA Information:Failed
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    15:18:52API Interceptor603x Sleep call for process: New Order4687334.exe modified
                                    15:19:06API Interceptor27x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    api.telegram.orgSWIFT_ADVICE.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    Overdue outstanding payment.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    proforma invoice packing list.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    KG236KQE0b.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    TT COPY.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    Invoice.doc.scr.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    proforma invoice packing list.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    PROFORMA.EXEGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    Proforma-Invoice CAC1105 CI&PL.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    8VVKoakLYt.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    SecuriteInfo.com.Trojan.GenericKD.47502835.19614.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    Quote.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    Dhl delivery Express.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    stampa_CFS-ITALIA_1123311-655.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    Launcher.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    BANKASI 657090031.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    SecuriteInfo.com.Variant.Barys.226418.1879.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    SecuriteInfo.com.Trojan.GenericKD.38103794.11009.exeGet hashmaliciousBrowse
                                    • 149.154.167.220
                                    SecuriteInfo.com.Trojan.SpyBot.1125.26781.exeGet hashmaliciousBrowse
                                    • 149.154.167.220

                                    ASN

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order4687334.exe.log
                                    Process:C:\Users\user\Desktop\New Order4687334.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):1310
                                    Entropy (8bit):5.345651901398759
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                    MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                    SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                    SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                    SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                    Malicious:true
                                    Reputation:moderate, very likely benign file
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):22296
                                    Entropy (8bit):5.604691119582736
                                    Encrypted:false
                                    SSDEEP:384:ut3Gy/SQjpTZLtSBKnYjultI+3uB9gPSJ3x+T1M4/ZlbAV7HQWDa5ZBDI+i6Yz:xGZJ4KYCltB3PcsCwfwDCVO
                                    MD5:A4ED3D527A314AF2DF3B2F6646512FC2
                                    SHA1:118D9F6F19D634E54694199804A68C4BE8BF0516
                                    SHA-256:B35E5F9892334A2B86B02C5A779AFA465AB7857BBD37D3A6A9F06939F23A11A2
                                    SHA-512:4758E7B471FF90F37010FE776F0B20E012257005FBFDF8BA0FF465E30C5E8C4517E1E04B6A5BC6B6956420326C4B7114DCE65573AB27C8B9BCD8901002E6F022
                                    Malicious:false
                                    Reputation:low
                                    Preview: @...e...........|.......h...h.d.a.....&. .H..........@..........H...............<@.^.L."My...:?..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..4....................].D.E.....#.......System.Data.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServicesH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mphuq2tu.k3a.ps1
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview: 1
                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxf2igxg.heq.psm1
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview: 1
                                    C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp
                                    Process:C:\Users\user\Desktop\New Order4687334.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1612
                                    Entropy (8bit):5.136404201143362
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qh/dp1Kd+y1modHUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtyhxvn:cgeHMYrFdOFzOzN33ODOiDdKrsuTynv
                                    MD5:AFDE0ABCE5DACF961010261FC91DA9D3
                                    SHA1:DE619D02A4142F3C96B551B4316B7573A003355C
                                    SHA-256:12B2F1266A20D8445BE2D61BB191C85CD39BF557D624D7CAAA1C025A1FF82FAD
                                    SHA-512:878CA3E22C23DCDC8286C19A70018ADBD2D8963F023600870DD9566D0BDDA436786F1495C95A68292C5BB2C1C176A81296D8DD016BCEC1912ACC00671DB23D1F
                                    Malicious:true
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvai
                                    C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
                                    Process:C:\Users\user\Desktop\New Order4687334.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):811008
                                    Entropy (8bit):7.627401226270159
                                    Encrypted:false
                                    SSDEEP:24576:+MjgD5aplp3dWwft/4kCO9MR3MByLZKb6:58YplrWO9O3MBAK
                                    MD5:ABC0D5990E243C73BCB0EF52F113C9C8
                                    SHA1:A62D9E6614AB925A6EC5EC1D8C8ABEB44CF51EF0
                                    SHA-256:B8BAAF727F8DA89FE81122FD5C93C3D34B7F3F78AE90403309D7D335E0BB3792
                                    SHA-512:C33CDB17D07AF0B51B4DFDF1A4626EC94AD87D24AEF2E4AC8CC17EECDFDFE246224A28E448D321FEB4EA70D83A349F822ED46ABAD7EC1913566B83A2C9BC4FA5
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 38%
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.a..............0.............>.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc...............^..............@..B................ .......H.......p>...F......Z........f...........................................0..7..........=...%....r...p.......%.r...p.%.r...p.%...(......+..*".(.....*&.(......**..(......*....(......*....(......*....0............d.......{......o.......+..*....0..3.........{....s.......o......(I.....,..r#..psO...z..}....*..0............o......0..o......0..o.....2..o.......+....,..r...pr...ps....z.o.......o....ZX..{...........,..r...ps....z..{....o.....+_..( .........oL...........,B..{.......s/..
                                    C:\Users\user\AppData\Roaming\lGBqbwYsd.exe:Zone.Identifier
                                    Process:C:\Users\user\Desktop\New Order4687334.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview: [ZoneTransfer]....ZoneId=0
                                    C:\Users\user\Documents\20211202\PowerShell_transcript.830021.Zh+Xk+NK.20211202151904.txt
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):5825
                                    Entropy (8bit):5.39302879110607
                                    Encrypted:false
                                    SSDEEP:96:BZd6KNSUqDo1ZKZAd6KNSUqDo1ZbVPNjZAd6KNSUqDo1ZbkddUZ/:OOqfq0
                                    MD5:52A4E973959AE0EC62F760F9857FA139
                                    SHA1:1ABBBD65F5D536E9F1F5A8F491E8D8AEC47ADEDF
                                    SHA-256:85A95B5DAC66490EA7AFE6BA7F250FA44D233B63167CDEED5C509F304BECD2F2
                                    SHA-512:69F9CFEB22E0824AD47FD5E1B5F0CB7D6ACD48239927C68EDB2E4E02AA4989CC80586545B82CC00FDABFDE5E2D3792AA366DA4AF8FA4DA5F897800DC07B66018
                                    Malicious:false
                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20211202151906..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lGBqbwYsd.exe..Process ID: 6580..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211202151906..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lGBqbwYsd.exe..**********************..Windows PowerShell transcript start..Start time: 20211202152227..Username: computer\user..RunAs User: DE

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.627401226270159
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:New Order4687334.exe
                                    File size:811008
                                    MD5:abc0d5990e243c73bcb0ef52f113c9c8
                                    SHA1:a62d9e6614ab925a6ec5ec1d8c8abeb44cf51ef0
                                    SHA256:b8baaf727f8da89fe81122fd5c93c3d34b7f3f78ae90403309d7d335e0bb3792
                                    SHA512:c33cdb17d07af0b51b4dfdf1a4626ec94ad87d24aef2e4ac8cc17eecdfdfe246224a28e448d321feb4ea70d83a349f822ed46abad7ec1913566b83a2c9bc4fa5
                                    SSDEEP:24576:+MjgD5aplp3dWwft/4kCO9MR3MByLZKb6:58YplrWO9O3MBAK
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.a..............0.............>.... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:ce9ab2a29a9aa2d4

                                    Static PE Info

                                    General

                                    Entrypoint:0x4aec3e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x61A82ACB [Thu Dec 2 02:09:15 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xaebec0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x18ce0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xacc440xace00False0.917266867769data7.85496996134IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0xb00000x18ce00x18e00False0.112535332915data4.31172980931IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xca0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0xb01f00x468GLS_BINARY_LSB_FIRST
                                    RT_ICON0xb06580x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 587202559, next used block 587202559
                                    RT_ICON0xb17000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                    RT_ICON0xb3ca80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                    RT_ICON0xb7ed00x10828dBase III DBT, version number 0, next free block index 40
                                    RT_GROUP_ICON0xc86f80x4cdata
                                    RT_VERSION0xc87440x3b0data
                                    RT_MANIFEST0xc8af40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright Mogens Heller Grabe 2010
                                    Assembly Version1.0.0.0
                                    InternalNameHasCopySemanticsAttribu.exe
                                    FileVersion1.0.0.0
                                    CompanyNameMookid8000
                                    LegalTrademarks
                                    Comments
                                    ProductNameTypedFactoryTjek
                                    ProductVersion1.0.0.0
                                    FileDescriptionTypedFactoryTjek
                                    OriginalFilenameHasCopySemanticsAttribu.exe

                                    Network Behavior

                                    Network Port Distribution

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 2, 2021 15:20:56.626312971 CET5973053192.168.2.78.8.8.8
                                    Dec 2, 2021 15:20:56.646023989 CET53597308.8.8.8192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Dec 2, 2021 15:20:56.626312971 CET192.168.2.78.8.8.80x623fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Dec 2, 2021 15:20:56.646023989 CET8.8.8.8192.168.2.70x623fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: New Order4687334.exe PID: 4548 Parent PID: 6072

                                    General

                                    Start time:15:18:51
                                    Start date:02/12/2021
                                    Path:C:\Users\user\Desktop\New Order4687334.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\New Order4687334.exe"
                                    Imagebase:0x7ff641cd0000
                                    File size:811008 bytes
                                    MD5 hash:ABC0D5990E243C73BCB0EF52F113C9C8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.316046595.0000000003267000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.318200591.00000000040BF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.315258817.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Analysis Process: powershell.exe PID: 6580 Parent PID: 4548

                                    General

                                    Start time:15:19:03
                                    Start date:02/12/2021
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lGBqbwYsd.exe
                                    Imagebase:0x1110000
                                    File size:430592 bytes
                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 6732 Parent PID: 6580

                                    General

                                    Start time:15:19:03
                                    Start date:02/12/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff774ee0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: schtasks.exe PID: 7064 Parent PID: 4548

                                    General

                                    Start time:15:19:09
                                    Start date:02/12/2021
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\user\AppData\Local\Temp\tmp4E0D.tmp
                                    Imagebase:0x1120000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 7132 Parent PID: 7064

                                    General

                                    Start time:15:19:10
                                    Start date:02/12/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff774ee0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: New Order4687334.exe PID: 6184 Parent PID: 4548

                                    General

                                    Start time:15:19:12
                                    Start date:02/12/2021
                                    Path:C:\Users\user\Desktop\New Order4687334.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\New Order4687334.exe
                                    Imagebase:0xb10000
                                    File size:811008 bytes
                                    MD5 hash:ABC0D5990E243C73BCB0EF52F113C9C8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.529256837.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.311913229.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.310261414.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.534092510.0000000002FF1000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.311127679.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.311127679.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.312585278.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.312585278.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Disassembly

                                    Code Analysis

                                    Reset < >