Loading ...

Play interactive tourEdit tour

Analysis Report 6Q7jTSzAYL.exe

Overview

General Information

Sample Name:6Q7jTSzAYL.exe
MD5:6cd11fe1038867baa38ad7fbce1298b6
SHA1:d6c7d981cbf9e0dbf93e9d995d3f0dd8abe7c1d5
SHA256:f8308e10cb652b941d811d09b3293e3f73f73f715e53d61cbcbe2d7d28387d6e

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Creates autostart registry keys with suspicious values (likely registry only malware)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 6Q7jTSzAYL.exe (PID: 3660 cmdline: 'C:\Users\user\Desktop\6Q7jTSzAYL.exe' MD5: 6CD11FE1038867BAA38AD7FBCE1298B6)
    • InstallUtil.exe (PID: 1788 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • wscript.exe (PID: 3704 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\648351\SzKnDC\SzKnDCLfk.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • SzKnD.exe (PID: 4216 cmdline: 'C:\648351\SzKnDC\SzKnD.exe' MD5: 6CD11FE1038867BAA38AD7FBCE1298B6)
      • InstallUtil.exe (PID: 5508 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • wscript.exe (PID: 1824 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\648351\SzKnDC\SzKnDCLfk.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • SzKnD.exe (PID: 1692 cmdline: 'C:\648351\SzKnDC\SzKnD.exe' MD5: 6CD11FE1038867BAA38AD7FBCE1298B6)
      • InstallUtil.exe (PID: 5652 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
        • WerFault.exe (PID: 480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 1432 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1083969798.000000000432F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1086238826.0000000005710000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.1165788728.0000000000C21000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.1174274071.0000000003CDF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1086425214.0000000005B22000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.SzKnD.exe.5170000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.SzKnD.exe.58b0000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\648351\SzKnDC\SzKnD.exeVirustotal: Detection: 23%Perma Link
                      Source: C:\648351\SzKnDC\SzKnD.exeReversingLabs: Detection: 70%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 6Q7jTSzAYL.exeVirustotal: Detection: 23%Perma Link
                      Source: 6Q7jTSzAYL.exeReversingLabs: Detection: 70%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\648351\SzKnDC\SzKnD.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: 6Q7jTSzAYL.exeJoe Sandbox ML: detected
                      Source: 5.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Source: 6Q7jTSzAYL.exe, 00000000.00000002.1080098853.0000000001271000.00000004.00000020.sdmpString found in binary or memory: http://go.mic

                      Source: 6Q7jTSzAYL.exe, 00000000.00000002.1079985899.0000000001230000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_05141C04 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,7_2_05141C04
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_051400AD NtOpenSection,NtMapViewOfSection,7_2_051400AD
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02E1EB900_2_02E1EB90
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02E1EEE80_2_02E1EEE8
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02E10AE00_2_02E10AE0
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02E10AD90_2_02E10AD9
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02E158C80_2_02E158C8
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02E158B80_2_02E158B8
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02E1F40E0_2_02E1F40E
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02EB72E00_2_02EB72E0
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02EB4AB80_2_02EB4AB8
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02EB03520_2_02EB0352
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02EB00E10_2_02EB00E1
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02EB00400_2_02EB0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_016B0D182_2_016B0D18
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_016B04482_2_016B0448
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_016B04022_2_016B0402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059715982_2_05971598
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059744602_2_05974460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059797102_2_05979710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059711A82_2_059711A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059751282_2_05975128
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0597FCA02_2_0597FCA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0597D9A82_2_0597D9A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059788F82_2_059788F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059715882_2_05971588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059755502_2_05975550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059744522_2_05974452
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059797012_2_05979701
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0597D6122_2_0597D612
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059711982_2_05971198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059790512_2_05979051
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_05978D2F2_2_05978D2F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_05978CB42_2_05978CB4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0597D9982_2_0597D998
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_059788E82_2_059788E8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C3EB904_2_00C3EB90
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C3EEE84_2_00C3EEE8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C30AD84_2_00C30AD8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C30AE04_2_00C30AE0
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C3F40E4_2_00C3F40E
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E72CF4_2_025E72CF
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E4AB84_2_025E4AB8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E00404_2_025E0040
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E00E14_2_025E00E1
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E4FD04_2_025E4FD0
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C358C44_2_00C358C4
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C358C84_2_00C358C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02CE0D185_2_02CE0D18
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02CE04485_2_02CE0448
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054115985_2_05411598
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054144605_2_05414460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054197105_2_05419710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054151285_2_05415128
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054111A85_2_054111A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0541FCA05_2_0541FCA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0541D9A85_2_0541D9A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054155505_2_05415550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054115885_2_05411588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0541445A5_2_0541445A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054197015_2_05419701
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054111985_2_05411198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054190515_2_05419051
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05418D2F5_2_05418D2F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05418CB45_2_05418CB4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0541D9665_2_0541D966
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_054188E85_2_054188E8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_0104EB907_2_0104EB90
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_0104EEE87_2_0104EEE8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_01040ACF7_2_01040ACF
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_01040AE07_2_01040AE0
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_0104F40E7_2_0104F40E
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E472E07_2_04E472E0
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E4DA407_2_04E4DA40
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E44FD07_2_04E44FD0
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E400E17_2_04E400E1
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E400407_2_04E40040
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E448207_2_04E44820
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E44AB87_2_04E44AB8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E403527_2_04E40352
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04FE16387_2_04FE1638
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_010458B87_2_010458B8
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_010458C87_2_010458C8
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 1432
                      Source: 6Q7jTSzAYL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SzKnD.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6Q7jTSzAYL.exeBinary or memory string: OriginalFilename vs 6Q7jTSzAYL.exe
                      Source: 6Q7jTSzAYL.exe, 00000000.00000002.1083969798.000000000432F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKoCXJFWGnEkcbMCOfyHzMtUumNOXCVCCtvIAL.exe4 vs 6Q7jTSzAYL.exe
                      Source: 6Q7jTSzAYL.exe, 00000000.00000003.1077709725.00000000012B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametlnweu.exe< vs 6Q7jTSzAYL.exe
                      Source: 6Q7jTSzAYL.exe, 00000000.00000002.1080573044.0000000002EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 6Q7jTSzAYL.exe
                      Source: 6Q7jTSzAYL.exe, 00000000.00000002.1085938805.0000000005630000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenKOniBrQhNTw.exe4 vs 6Q7jTSzAYL.exe
                      Source: 6Q7jTSzAYL.exe, 00000000.00000002.1079985899.0000000001230000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6Q7jTSzAYL.exe
                      Source: 6Q7jTSzAYL.exeBinary or memory string: OriginalFilenametlnweu.exe< vs 6Q7jTSzAYL.exe
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                      Source: 6Q7jTSzAYL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SzKnD.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/9@0/0
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6Q7jTSzAYL.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5652
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER54B9.tmp
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\648351\SzKnDC\SzKnDCLfk.vbs'
                      Source: 6Q7jTSzAYL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: 6Q7jTSzAYL.exeVirustotal: Detection: 23%
                      Source: 6Q7jTSzAYL.exeReversingLabs: Detection: 70%
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeFile read: C:\Users\user\Desktop\6Q7jTSzAYL.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\6Q7jTSzAYL.exe 'C:\Users\user\Desktop\6Q7jTSzAYL.exe'
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\648351\SzKnDC\SzKnDCLfk.vbs'
                      Source: unknownProcess created: C:\648351\SzKnDC\SzKnD.exe 'C:\648351\SzKnDC\SzKnD.exe'
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\648351\SzKnDC\SzKnDCLfk.vbs'
                      Source: unknownProcess created: C:\648351\SzKnDC\SzKnD.exe 'C:\648351\SzKnDC\SzKnD.exe'
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 1432
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\648351\SzKnDC\SzKnD.exe 'C:\648351\SzKnDC\SzKnD.exe' Jump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\648351\SzKnDC\SzKnD.exe 'C:\648351\SzKnDC\SzKnD.exe' Jump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 6Q7jTSzAYL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 6Q7jTSzAYL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: System.ni.pdbRSDS source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: InstallUtil.PDBF4 source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: System.Management.ni.pdbRSDSJ source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb: source: InstallUtil.exe, 00000008.00000002.1353300266.0000000005E70000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000008.00000002.1353300266.0000000005E70000.00000004.00000001.sdmp
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: CustomMarshalers.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: System.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: System.Core.ni.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: CustomMarshalers.pdb4; source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: q .pdb source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: System.Core.pdbp source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: (P4r8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000008.00000002.1353300266.0000000005E70000.00000004.00000001.sdmp
                      Source: Binary string: System.Management.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: System.Management.ni.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: System.Core.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000008.00000002.1353300266.0000000005E70000.00000004.00000001.sdmp
                      Source: Binary string: ?rC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb= source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000008.00000002.1346560695.0000000000AF7000.00000004.00000010.sdmp
                      Source: Binary string: System.ni.pdb source: WER54B9.tmp.dmp.15.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER54B9.tmp.dmp.15.dr

                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeCode function: 0_2_02EB4FC8 push eax; ret 0_2_02EB4FC9
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_00C358B9 push esi; retn 0000h4_2_00C358BA
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E2331 pushfd ; retn 0000h4_2_025E2332
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E21F0 pushfd ; retn 0000h4_2_025E2312
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 4_2_025E4FC8 push eax; ret 4_2_025E4FC9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02CE284D pushad ; ret 5_2_02CE284E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0541D94D push ds; retf 5_2_0541D94F
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E44FC2 push eax; ret 7_2_04E44FC9
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_04E4D0E3 push E801EA5Eh; retf 7_2_04E4D101
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.61659188944
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.61659188944

                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeFile created: C:\648351\SzKnDC\SzKnD.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SzKnD C:\648351\SzKnDC\SzKnDCLfk.vbsJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SzKnDJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SzKnDJump to behavior

                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\648351\SzKnDC\SzKnD.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exe TID: 4396Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exe TID: 5472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5252Thread sleep count: 176 > 30Jump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exe TID: 6044Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exe TID: 4876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exe TID: 8Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exe TID: 1612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5124Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5168Thread sleep count: 189 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5124Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeLast function: Thread delayed
                      Source: SzKnD.exe, 00000007.00000002.1166524460.0000000002A04000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information queried: ProcessInformationJump to behavior

                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_051400AD mov ecx, dword ptr fs:[00000030h]7_2_051400AD
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_051400AD mov eax, dword ptr fs:[00000030h]7_2_051400AD
                      Source: C:\648351\SzKnDC\SzKnD.exeCode function: 7_2_051401CB mov eax, dword ptr fs:[00000030h]7_2_051401CB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe protection: execute and read and writeJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe protection: execute and read and writeJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\648351\SzKnDC\SzKnD.exe 'C:\648351\SzKnDC\SzKnD.exe' Jump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\648351\SzKnDC\SzKnD.exe 'C:\648351\SzKnDC\SzKnD.exe' Jump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior

                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeQueries volume information: C:\Users\user\Desktop\6Q7jTSzAYL.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6Q7jTSzAYL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeQueries volume information: C:\648351\SzKnDC\SzKnD.exe VolumeInformationJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeQueries volume information: C:\648351\SzKnDC\SzKnD.exe VolumeInformationJump to behavior
                      Source: C:\648351\SzKnDC\SzKnD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_016B1C58 GetUserNameW,2_2_016B1C58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.1083969798.000000000432F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1086238826.0000000005710000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1165788728.0000000000C21000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1174274071.0000000003CDF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1086425214.0000000005B22000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1172055398.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1145906181.00000000038EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1143306742.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1149007310.00000000058B2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1178051695.0000000005172000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1346118321.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1138391697.000000000083D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1349370344.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SzKnD.exe PID: 1692, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5508, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6Q7jTSzAYL.exe PID: 3660, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1788, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SzKnD.exe PID: 4216, type: MEMORY
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.SzKnD.exe.5170000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.SzKnD.exe.58b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6Q7jTSzAYL.exe.5b20000.4.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.1083969798.000000000432F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1086238826.0000000005710000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1165788728.0000000000C21000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1174274071.0000000003CDF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1086425214.0000000005B22000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1172055398.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1145906181.00000000038EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1143306742.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1149007310.00000000058B2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1178051695.0000000005172000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1346118321.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1138391697.000000000083D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1349370344.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SzKnD.exe PID: 1692, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5508, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6Q7jTSzAYL.exe PID: 3660, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1788, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SzKnD.exe PID: 4216, type: MEMORY
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.SzKnD.exe.5170000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.SzKnD.exe.58b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6Q7jTSzAYL.exe.5b20000.4.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder11Process Injection111Masquerading1Credential Dumping2Virtualization/Sandbox Evasion15Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Replication Through Removable MediaScripting11Port MonitorsAccessibility FeaturesSoftware Packing3Input Capture1Process Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureAccount Discovery1Windows Remote ManagementData from Local System2Automated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion15Credentials in FilesSystem Owner/User Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
                      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection111Account ManipulationSecurity Software Discovery231Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceScripting11Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
                      Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionFile and Directory Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistorySystem Information Discovery113Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 232337 Sample: 6Q7jTSzAYL.exe Startdate: 22/05/2020 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AgentTesla 2->50 52 Machine Learning detection for sample 2->52 8 6Q7jTSzAYL.exe 1 6 2->8         started        12 wscript.exe 1 2->12         started        14 wscript.exe 1 2->14         started        process3 file4 30 C:\648351\SzKnDC\SzKnD.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\6Q7jTSzAYL.exe.log, ASCII 8->32 dropped 34 C:\648351\SzKnDC\SzKnDCLfk.vbs, ASCII 8->34 dropped 36 C:\648351\SzKnDC\SzKnD.exe:Zone.Identifier, ASCII 8->36 dropped 60 Creates autostart registry keys with suspicious values (likely registry only malware) 8->60 62 Maps a DLL or memory area into another process 8->62 16 InstallUtil.exe 2 8->16         started        19 SzKnD.exe 12->19         started        21 SzKnD.exe 1 14->21         started        signatures5 process6 signatures7 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->38 40 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->40 42 Maps a DLL or memory area into another process 19->42 23 InstallUtil.exe 2 19->23         started        44 Multi AV Scanner detection for dropped file 21->44 46 Machine Learning detection for dropped file 21->46 26 InstallUtil.exe