Loading ...

Play interactive tourEdit tour

Analysis Report MR#1901421 - RT materials.exe

Overview

General Information

Sample Name:MR#1901421 - RT materials.exe
Analysis ID:286422
MD5:fa282dee9e966a6825b44364814acded
SHA1:e40aeece36c56cc919bea095e7285c2fc6c5b3bc
SHA256:277848fe676c925becc15a494855ccbc42ee8e2e88cf61144d7de703c82250a0
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • MR#1901421 - RT materials.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\MR#1901421 - RT materials.exe' MD5: FA282DEE9E966A6825B44364814ACDED)
    • schtasks.exe (PID: 6676 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iejZDvQv' /XML 'C:\Users\user\AppData\Local\Temp\tmp2F7E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "zR5mMud2d0", "URL: ": "http://bYjEiSfq0xoxxaUKkg.org", "To: ": "ceejay@usamilitarydept.com", "ByHost: ": "smtp.usamilitarydept.com:587", "Password: ": "Hy0wipN9PO3A0", "From: ": "ceejay@usamilitarydept.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.442059462.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.199506461.00000000038D9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: MR#1901421 - RT materials.exe PID: 6720JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.MR#1901421 - RT materials.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iejZDvQv' /XML 'C:\Users\user\AppData\Local\Temp\tmp2F7E.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iejZDvQv' /XML 'C:\Users\user\AppData\Local\Temp\tmp2F7E.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\MR#1901421 - RT materials.exe' , ParentImage: C:\Users\user\Desktop\MR#1901421 - RT materials.exe, ParentProcessId: 6584, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iejZDvQv' /XML 'C:\Users\user\AppData\Local\Temp\tmp2F7E.tmp', ProcessId: 6676

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: MR#1901421 - RT materials.exe.6720.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "zR5mMud2d0", "URL: ": "http://bYjEiSfq0xoxxaUKkg.org", "To: ": "ceejay@usamilitarydept.com", "ByHost: ": "smtp.usamilitarydept.com:587", "Password: ": "Hy0wipN9PO3A0", "From: ": "ceejay@usamilitarydept.com"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\iejZDvQv.exeVirustotal: Detection: 35%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: MR#1901421 - RT materials.exeVirustotal: Detection: 35%Perma Link
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\iejZDvQv.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: MR#1901421 - RT materials.exeJoe Sandbox ML: detected
              Source: 3.2.MR#1901421 - RT materials.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49733 -> 208.91.199.225:587
              Source: global trafficTCP traffic: 192.168.2.5:49733 -> 208.91.199.225:587
              Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
              Source: global trafficTCP traffic: 192.168.2.5:49733 -> 208.91.199.225:587
              Source: unknownDNS traffic detected: queries for: smtp.usamilitarydept.com
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: http://MkhVWK.com
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.445141001.00000000030A4000.00000004.00000001.sdmpString found in binary or memory: http://bYjEiSfq0xoxxaUKkg.org
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.445141001.00000000030A4000.00000004.00000001.sdmpString found in binary or memory: http://smtp.usamilitarydept.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197116884.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.445141001.00000000030A4000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.202529452.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.442059462.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.442059462.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.444339709.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_0578D444 SetWindowsHookExW 0000000D,00000000,?,?3_2_0578D444
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\MR#1901421 - RT materials.exeJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053CDE380_2_053CDE38
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053CBD680_2_053CBD68
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053CB1610_2_053CB161
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053C98380_2_053C9838
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053CF8580_2_053CF858
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053C33400_2_053C3340
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053C83C80_2_053C83C8
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053C92F00_2_053C92F0
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C4F720_2_070C4F72
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C660F0_2_070C660F
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C9A000_2_070C9A00
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C8E700_2_070C8E70
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C06A00_2_070C06A0
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070CB6C80_2_070CB6C8
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C5D380_2_070C5D38
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C58D80_2_070C58D8
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C38F00_2_070C38F0
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C12080_2_070C1208
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C5E1A0_2_070C5E1A
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C92200_2_070C9220
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C42210_2_070C4221
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C02390_2_070C0239
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C02480_2_070C0248
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C42580_2_070C4258
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C6E700_2_070C6E70
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C06900_2_070C0690
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C5D2A0_2_070C5D2A
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C69C20_2_070C69C2
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C69D00_2_070C69D0
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C11D10_2_070C11D1
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C00060_2_070C0006
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C48250_2_070C4825
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C00400_2_070C0040
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C48680_2_070C4868
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C58620_2_070C5862
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C04980_2_070C0498
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C04A80_2_070C04A8
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C58A10_2_070C58A1
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C38E20_2_070C38E2
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_00FB68703_2_00FB6870
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_00FB36403_2_00FB3640
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_00FB5B103_2_00FB5B10
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_010E46A03_2_010E46A0
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_010E35C43_2_010E35C4
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_010E45B03_2_010E45B0
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_010E465F3_2_010E465F
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_010E539F3_2_010E539F
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_010EDA003_2_010EDA00
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_057825483_2_05782548
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_057875403_2_05787540
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_05786C703_2_05786C70
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_057894F83_2_057894F8
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_057869283_2_05786928
              Source: MR#1901421 - RT materials.exeBinary or memory string: OriginalFilename vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.203942021.00000000075C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLWwUnyUqpNuFQkexeKdHCnxzMHbsQskWjy.exe4 vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197116884.0000000002881000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.204201301.0000000007DC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.204829953.0000000007EB0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.204829953.0000000007EB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.203566547.0000000007410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exeBinary or memory string: OriginalFilename vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.442489816.0000000000D37000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.442059462.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameLWwUnyUqpNuFQkexeKdHCnxzMHbsQskWjy.exe4 vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.443186150.0000000000F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.443473501.0000000001030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.443666267.00000000010FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.443451682.0000000001020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exeBinary or memory string: OriginalFilenameSKp.exe( vs MR#1901421 - RT materials.exe
              Source: MR#1901421 - RT materials.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: iejZDvQv.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@2/1
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile created: C:\Users\user\AppData\Roaming\iejZDvQv.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2F7E.tmpJump to behavior
              Source: MR#1901421 - RT materials.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: MR#1901421 - RT materials.exeVirustotal: Detection: 35%
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile read: C:\Users\user\Desktop\MR#1901421 - RT materials.exe:Zone.IdentifierJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\MR#1901421 - RT materials.exe 'C:\Users\user\Desktop\MR#1901421 - RT materials.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iejZDvQv' /XML 'C:\Users\user\AppData\Local\Temp\tmp2F7E.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\MR#1901421 - RT materials.exe {path}
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iejZDvQv' /XML 'C:\Users\user\AppData\Local\Temp\tmp2F7E.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess created: C:\Users\user\Desktop\MR#1901421 - RT materials.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: MR#1901421 - RT materials.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: MR#1901421 - RT materials.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)Show sources
              Source: MR#1901421 - RT materials.exe, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
              Source: iejZDvQv.exe.0.dr, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
              Source: 0.2.MR#1901421 - RT materials.exe.520000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
              Source: 0.0.MR#1901421 - RT materials.exe.520000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
              Source: 3.0.MR#1901421 - RT materials.exe.910000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
              Source: 3.2.MR#1901421 - RT materials.exe.910000.1.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
              .NET source code contains potential unpackerShow sources
              Source: MR#1901421 - RT materials.exe, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: iejZDvQv.exe.0.dr, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.MR#1901421 - RT materials.exe.520000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.MR#1901421 - RT materials.exe.520000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.0.MR#1901421 - RT materials.exe.910000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.2.MR#1901421 - RT materials.exe.910000.1.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053C0310 push eax; ret 0_2_053C0311
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053C5A3C push esp; ret 0_2_053C5A3D
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_053C3218 pushfd ; ret 0_2_053C333D
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C1EA9 push ebx; retf 0_2_070C1EC9
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C1D9A push edi; ret 0_2_070C1D9B
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 0_2_070C1D90 push edi; ret 0_2_070C1D91
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeCode function: 3_2_00FBB557 push edi; retn 0000h3_2_00FBB559
              Source: initial sampleStatic PE information: section name: .text entropy: 7.96856521107
              Source: initial sampleStatic PE information: section name: .text entropy: 7.96856521107
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile created: C:\Users\user\AppData\Roaming\iejZDvQv.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iejZDvQv' /XML 'C:\Users\user\AppData\Local\Temp\tmp2F7E.tmp'
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: Process Memory Space: MR#1901421 - RT materials.exe PID: 6584, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWindow / User API: threadDelayed 771Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6588Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6608Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6996Thread sleep count: 771 > 30Jump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -89250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -88923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -88314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -58594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -58376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -87282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -87000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -86673s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -57500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -57282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -56876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -113376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -113000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -56188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -55782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -83064s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -55094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -54876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -81750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -81423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -53782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -80064s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -79782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -53000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -79032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -52500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -52282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -51876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -51594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -51376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -51188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -76500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -101564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -74532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -49188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -49000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -48782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -72891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -72564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -71532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -71250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -70923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -47000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -46594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -46376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -69282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -45688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -45500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -67923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -67641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -67314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -44688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -44376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -66282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -88000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -43782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -43282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -64641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -64314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -42688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -63750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -42188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -63000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -41782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -62391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -41376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -40876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -61032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -60750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -40188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -59391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -39376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -39094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -38876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -38688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -57750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -38282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -37376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -55782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -55500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -36688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -36282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -54141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -53814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -35376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -70000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -52173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -34500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -34282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -34094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -33876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -33688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -33188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -49173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -32594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -32282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -47250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -31282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -46641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -46314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -44673s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -41064s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -39423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -37500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -36141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -59782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -58688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -58500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -57594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -57376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -55000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -54782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -51282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -50000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -49282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -49094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -48188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -47094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -45782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -44500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -43594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -42282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -41188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -41000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -40282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -40094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -39876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -39188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -38782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -38094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -37876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -37688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -36782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -36376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -35688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -34376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -34000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -32188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -47532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -45891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -30376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -30188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exe TID: 6992Thread sleep time: -44250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeLast function: Thread delayed
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: MR#1901421 - RT materials.exe, 00000000.00000002.197490534.0000000002AB7000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: MR#1901421 - RT materials.exe, 00000003.00000002.443762797.000000000117B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\MR#1901421 - RT materials.exeProcess information queried: ProcessInformationJump to behavior