Loading ...

Play interactive tourEdit tour

Analysis Report 11065-AMM0000557423-736065949.exe

Overview

General Information

Sample Name:11065-AMM0000557423-736065949.exe
MD5:39b71dd0dc801e89e04f0d2b3824b55f
SHA1:5d3f749ab772af6552cc81d807c723e8181f5fe8
SHA256:e390ee24fef5920157d9c28af8d232cd542f30b193481fef6fffb007631f374b

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Domain name seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 11065-AMM0000557423-736065949.exe (PID: 5080 cmdline: 'C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe' MD5: 39B71DD0DC801E89E04F0D2B3824B55F)
    • schtasks.exe (PID: 820 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 11065-AMM0000557423-736065949.exe (PID: 3236 cmdline: {path} MD5: 39B71DD0DC801E89E04F0D2B3824B55F)
      • netsh.exe (PID: 6040 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0Ai9AOpgXo", "URL: ": "http://MOx5rIzSSpak0qLPtH.com", "To: ": "servicio@elhelado.com.mx", "ByHost: ": "mail.elhelado.com.mx:587", "Password: ": "=0A4OENzVH", "From: ": "servicio@elhelado.com.mx"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1200221703.00000000030B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.808605883.000000000438A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.1197331443.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: 11065-AMM0000557423-736065949.exe PID: 5080JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: 11065-AMM0000557423-736065949.exe PID: 3236JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.11065-AMM0000557423-736065949.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe, ParentProcessId: 3236, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6040
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe' , ParentImage: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe, ParentProcessId: 5080, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp', ProcessId: 820

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 11065-AMM0000557423-736065949.exe.3236.5.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0Ai9AOpgXo", "URL: ": "http://MOx5rIzSSpak0qLPtH.com", "To: ": "servicio@elhelado.com.mx", "ByHost: ": "mail.elhelado.com.mx:587", "Password: ": "=0A4OENzVH", "From: ": "servicio@elhelado.com.mx"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\RTJBQAXh.exeVirustotal: Detection: 23%Perma Link
              Source: C:\Users\user\AppData\Roaming\RTJBQAXh.exeReversingLabs: Detection: 31%
              Multi AV Scanner detection for submitted fileShow sources
              Source: 11065-AMM0000557423-736065949.exeVirustotal: Detection: 23%Perma Link
              Source: 11065-AMM0000557423-736065949.exeReversingLabs: Detection: 31%
              Source: 5.2.11065-AMM0000557423-736065949.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49749 -> 46.4.95.247:587
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49750 -> 46.4.95.247:587
              Source: global trafficTCP traffic: 192.168.2.5:49749 -> 46.4.95.247:587
              Source: Joe Sandbox ViewDomain Name: elhelado.com.mx elhelado.com.mx
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: global trafficTCP traffic: 192.168.2.5:49749 -> 46.4.95.247:587
              Source: unknownDNS traffic detected: queries for: mail.elhelado.com.mx
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1200539628.00000000031B3000.00000004.00000001.sdmpString found in binary or memory: http://MOx5rIzSSpak0qLPtH.com
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1200539628.00000000031B3000.00000004.00000001.sdmpString found in binary or memory: http://elhelado.com.mx
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1200539628.00000000031B3000.00000004.00000001.sdmpString found in binary or memory: http://mail.elhelado.com.mx
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.806970899.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.781299974.0000000006188000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783544287.0000000006173000.00000004.00000001.sdmp, 11065-AMM0000557423-736065949.exe, 00000000.00000003.783698402.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783544287.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783544287.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783698402.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/v
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783544287.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783544287.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783544287.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.783544287.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/va
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000003.785968240.000000000618C000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comx
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.813308604.0000000006266000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 0_2_07C012280_2_07C01228
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011FD1185_2_011FD118
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F79385_2_011F7938
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F09505_2_011F0950
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F80705_2_011F8070
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F20885_2_011F2088
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F73025_2_011F7302
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F401A5_2_011F401A
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F40625_2_011F4062
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F40AA5_2_011F40AA
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F40F25_2_011F40F2
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3B135_2_011F3B13
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3BA05_2_011F3BA0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3BE85_2_011F3BE8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3D085_2_011F3D08
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3D505_2_011F3D50
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3D985_2_011F3D98
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F35B65_2_011F35B6
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3DE05_2_011F3DE0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3C305_2_011F3C30
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3C785_2_011F3C78
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F20885_2_011F2088
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3CC05_2_011F3CC0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3F455_2_011F3F45
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3F8D5_2_011F3F8D
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F2FAB5_2_011F2FAB
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F37E25_2_011F37E2
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F2E7F5_2_011F2E7F
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3E6D5_2_011F3E6D
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3EB55_2_011F3EB5
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3EFD5_2_011F3EFD
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B95685_2_055B9568
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B07E85_2_055B07E8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055BF6985_2_055BF698
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055BD3C85_2_055BD3C8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B0C005_2_055B0C00
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B2FB65_2_055B2FB6
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055BF9E05_2_055BF9E0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B28E45_2_055B28E4
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B3AE05_2_055B3AE0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B95595_2_055B9559
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B84525_2_055B8452
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B07D85_2_055B07D8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B47D25_2_055B47D2
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B87845_2_055B8784
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B83DE5_2_055B83DE
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055BD3B85_2_055BD3B8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B7F685_2_055B7F68
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B39F05_2_055B39F0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_055B0BF15_2_055B0BF1
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625E6385_2_0625E638
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062566A05_2_062566A0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06256E905_2_06256E90
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062510285_2_06251028
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625F9985_2_0625F998
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062509E85_2_062509E8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625DA205_2_0625DA20
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625E62C5_2_0625E62C
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062556025_2_06255602
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625DA105_2_0625DA10
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625D6785_2_0625D678
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062592C05_2_062592C0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062592D05_2_062592D0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625EB205_2_0625EB20
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062523285_2_06252328
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625EB105_2_0625EB10
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625CF705_2_0625CF70
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06259BEF5_2_06259BEF
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062563D15_2_062563D1
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062510195_2_06251019
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062598605_2_06259860
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062500405_2_06250040
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062524AE5_2_062524AE
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625A0C85_2_0625A0C8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625A0D85_2_0625A0D8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625D1385_2_0625D138
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062529605_2_06252960
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062599B05_2_062599B0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625F9895_2_0625F989
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06259D975_2_06259D97
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_062509D85_2_062509D8
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0645CED05_2_0645CED0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0645EA905_2_0645EA90
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0645A2905_2_0645A290
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_064597405_2_06459740
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_064591305_2_06459130
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0645C1505_2_0645C150
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.816589536.0000000007AE0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.816589536.0000000007AE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.818648712.0000000009470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.804380997.0000000000F46000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAQfsxgfmOQYQHfRVr.exe: vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.806970899.00000000031F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameonkexsvbhTAMnbWEJcvgICfCBsLEgCsp.exe4 vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.815969491.00000000079E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.807348838.0000000003289000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreEntity.dll6 vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000004.00000002.801524230.0000000000096000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAQfsxgfmOQYQHfRVr.exe: vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1203536105.00000000063A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000000.802419031.0000000000AE6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAQfsxgfmOQYQHfRVr.exe: vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1202205812.00000000053D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1197462478.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameonkexsvbhTAMnbWEJcvgICfCBsLEgCsp.exe4 vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1197821886.0000000000EF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1198744072.000000000128A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1203295384.00000000062A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1203499554.0000000006390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exeBinary or memory string: OriginalFilenameAQfsxgfmOQYQHfRVr.exe: vs 11065-AMM0000557423-736065949.exe
              Source: 11065-AMM0000557423-736065949.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: RTJBQAXh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 11065-AMM0000557423-736065949.exe, u0003u2003.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: RTJBQAXh.exe.0.dr, u0003u2003.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.11065-AMM0000557423-736065949.exe.ed0000.0.unpack, u0003u2003.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.11065-AMM0000557423-736065949.exe.ed0000.0.unpack, u0003u2003.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.11065-AMM0000557423-736065949.exe.20000.0.unpack, u0003u2003.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.0.11065-AMM0000557423-736065949.exe.20000.0.unpack, u0003u2003.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@2/1
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile created: C:\Users\user\AppData\Roaming\RTJBQAXh.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_01
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeMutant created: \Sessions\1\BaseNamedObjects\YXACGZPTbsQRXw
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_01
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD283.tmpJump to behavior
              Source: 11065-AMM0000557423-736065949.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 11065-AMM0000557423-736065949.exeVirustotal: Detection: 23%
              Source: 11065-AMM0000557423-736065949.exeReversingLabs: Detection: 31%
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile read: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe 'C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe {path}
              Source: unknownProcess created: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: 11065-AMM0000557423-736065949.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 11065-AMM0000557423-736065949.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: CoreEntity.pdb source: 11065-AMM0000557423-736065949.exe, 00000000.00000002.807348838.0000000003289000.00000004.00000001.sdmp

              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0115E10B pushfd ; retf 5_2_0115E149
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0115D75C pushfd ; retf 5_2_0115D75D
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0115DFAD push esp; retf 5_2_0115E0E9
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0115D6FC push esp; retf 5_2_0115D6FD
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0115D6FF pushad ; retf 5_2_0115D71D
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0115E0EB pushad ; retf 5_2_0115E109
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0625E3EC push eax; retf 5_2_0625E3ED
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06253FCF push es; ret 5_2_06254058
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0645D270 push es; retf 0646h5_2_0645D334
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_0645663B push es; iretd 5_2_064567D0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06456513 push es; iretd 5_2_064567D0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06456734 push es; iretd 5_2_064567D0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_064561FD push es; iretd 5_2_064567D0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06454A49 push 8BFFFFFFh; retf 5_2_06454A58
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06450013 pushad ; ret 5_2_06450015
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06456229 push es; iretd 5_2_064567D0
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_06452AAD push es; iretd 5_2_06452AAE
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_064564B7 push es; iretd 5_2_064567D0
              Source: initial sampleStatic PE information: section name: .text entropy: 7.84547311257
              Source: initial sampleStatic PE information: section name: .text entropy: 7.84547311257

              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeFile created: C:\Users\user\AppData\Roaming\RTJBQAXh.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp'

              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWindow / User API: threadDelayed 522Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWindow / User API: threadDelayed 9142Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe TID: 5368Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe TID: 5808Thread sleep time: -25825441703193356s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe TID: 5768Thread sleep count: 522 > 30Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe TID: 5768Thread sleep count: 9142 > 30Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1198817398.00000000012B3000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeCode function: 5_2_011F3AA9 LdrInitializeThunk,5_2_011F3AA9
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeMemory allocated: page read and write | page guardJump to behavior

              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTJBQAXh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD283.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1199259266.0000000001850000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1199259266.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1199259266.0000000001850000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
              Source: 11065-AMM0000557423-736065949.exe, 00000005.00000002.1199259266.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\11065-AMM0000557423-736065949.exeQueries volume