Loading ...

Play interactive tourEdit tour

Analysis Report AWB-DRAFT-D061620.exe

Overview

General Information

Sample Name:AWB-DRAFT-D061620.exe
Analysis ID:299610
MD5:390b8935f9a9e7a2b4f8ccba2260297e
SHA1:5f343161b2211507bf0db81e1d3219fd9191ac77
SHA256:18fd02253bd3e3458ae988dc884567ac238606beeb1095c9c849ee58becc48f7
Tags:DHLexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • AWB-DRAFT-D061620.exe (PID: 6508 cmdline: 'C:\Users\user\Desktop\AWB-DRAFT-D061620.exe' MD5: 390B8935F9A9E7A2B4F8CCBA2260297E)
    • schtasks.exe (PID: 6848 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ulnbLqaJFZmS' /XML 'C:\Users\user\AppData\Local\Temp\tmp9672.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "r4CnA", "URL: ": "https://WJfCKsfoRjidWEX8Fm.org", "To: ": "sureshkumar@polocraft.in", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "5ZFcTcJzlo", "From: ": "sureshkumar@polocraft.in"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.502791003.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.266931380.0000000003F3B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: AWB-DRAFT-D061620.exe PID: 6508JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.AWB-DRAFT-D061620.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ulnbLqaJFZmS' /XML 'C:\Users\user\AppData\Local\Temp\tmp9672.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ulnbLqaJFZmS' /XML 'C:\Users\user\AppData\Local\Temp\tmp9672.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\AWB-DRAFT-D061620.exe' , ParentImage: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe, ParentProcessId: 6508, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ulnbLqaJFZmS' /XML 'C:\Users\user\AppData\Local\Temp\tmp9672.tmp', ProcessId: 6848

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: AWB-DRAFT-D061620.exe.7032.9.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "r4CnA", "URL: ": "https://WJfCKsfoRjidWEX8Fm.org", "To: ": "sureshkumar@polocraft.in", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "5ZFcTcJzlo", "From: ": "sureshkumar@polocraft.in"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\ulnbLqaJFZmS.exeReversingLabs: Detection: 14%
              Multi AV Scanner detection for submitted fileShow sources
              Source: AWB-DRAFT-D061620.exeReversingLabs: Detection: 14%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\ulnbLqaJFZmS.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: AWB-DRAFT-D061620.exeJoe Sandbox ML: detected
              Source: 9.2.AWB-DRAFT-D061620.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: global trafficTCP traffic: 192.168.2.7:49751 -> 208.91.198.143:587
              Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
              Source: global trafficTCP traffic: 192.168.2.7:49751 -> 208.91.198.143:587
              Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpString found in binary or memory: http://GNMHfb.com
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.506094556.0000000001831000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertSecure
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.509863249.00000000038DB000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.509863249.00000000038DB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.261878039.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AWB-DRAFT-D061620.exeString found in binary or memory: http://tempuri.org/supermartDataSet.xsd
              Source: AWB-DRAFT-D061620.exeString found in binary or memory: http://tempuri.org/supermartDataSet.xsdQhttp://tempuri.org/supermartDataSet2.xsd
              Source: AWB-DRAFT-D061620.exeString found in binary or memory: http://tempuri.org/supermartDataSet1.xsd
              Source: AWB-DRAFT-D061620.exeString found in binary or memory: http://tempuri.org/supermartDataSet1.xsdYSELECT
              Source: AWB-DRAFT-D061620.exeString found in binary or memory: http://tempuri.org/supermartDataSet2.xsd
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.509835960.00000000038D5000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000003.485319395.0000000001634000.00000004.00000001.sdmpString found in binary or memory: https://WJfCKsfoRjidWEX8Fm.org
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.266931380.0000000003F3B000.00000004.00000001.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000002.502791003.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.509863249.00000000038DB000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.266931380.0000000003F3B000.00000004.00000001.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000002.502791003.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.507497317.0000000003571000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\AWB-DRAFT-D061620.exeJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              Spam, unwanted Advertisements and Ransom Demands:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4D50 ExitWindowsEx,ExitWindowsEx,9_2_011D4D50
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4160 ExitWindowsEx,ExitWindowsEx,9_2_011D4160
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D05D8 ExitWindowsEx,ExitWindowsEx,9_2_011D05D8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D0488 ExitWindowsEx,ExitWindowsEx,9_2_011D0488
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D54B0 ExitWindowsEx,ExitWindowsEx,9_2_011D54B0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D8CC0 ExitWindowsEx,ExitWindowsEx,9_2_011D8CC0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D1290 ExitWindowsEx,ExitWindowsEx,9_2_011D1290
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4280 ExitWindowsEx,ExitWindowsEx,9_2_011D4280
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D8D1F ExitWindowsEx,9_2_011D8D1F
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D550F ExitWindowsEx,9_2_011D550F
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D41BF ExitWindowsEx,9_2_011D41BF
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4DAF ExitWindowsEx,9_2_011D4DAF
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D11CF ExitWindowsEx,9_2_011D11CF
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4011 ExitWindowsEx,ExitWindowsEx,9_2_011D4011
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D5450 ExitWindowsEx,ExitWindowsEx,9_2_011D5450
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D8CB9 ExitWindowsEx,ExitWindowsEx,9_2_011D8CB9
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4CA0 ExitWindowsEx,ExitWindowsEx,9_2_011D4CA0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D0CD0 ExitWindowsEx,ExitWindowsEx,9_2_011D0CD0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D04E8 ExitWindowsEx,9_2_011D04E8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D03E8 ExitWindowsEx,ExitWindowsEx,9_2_011D03E8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4E11 ExitWindowsEx,9_2_011D4E11
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D1230 ExitWindowsEx,ExitWindowsEx,9_2_011D1230
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D4220 ExitWindowsEx,ExitWindowsEx,9_2_011D4220
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D42DF ExitWindowsEx,9_2_011D42DF
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D12EF ExitWindowsEx,9_2_011D12EF
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_00089AB81_2_00089AB8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_0008A9ED1_2_0008A9ED
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_00BFD6581_2_00BFD658
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A209301_2_05A20930
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A200401_2_05A20040
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A2436C1_2_05A2436C
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A20C011_2_05A20C01
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A20C101_2_05A20C10
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A20E941_2_05A20E94
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A20E2B1_2_05A20E2B
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A20E121_2_05A20E12
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A206681_2_05A20668
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A20E6F1_2_05A20E6F
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A206781_2_05A20678
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A209201_2_05A20920
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A34DF01_2_05A34DF0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A30D101_2_05A30D10
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A335481_2_05A33548
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A3C1581_2_05A3C158
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A3A8A81_2_05A3A8A8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A32CF01_2_05A32CF0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A33F101_2_05A33F10
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A3D7601_2_05A3D760
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A3D2001_2_05A3D200
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A376081_2_05A37608
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A381A01_2_05A381A0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A3B1B81_2_05A3B1B8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A381871_2_05A38187
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A339881_2_05A33988
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A375F81_2_05A375F8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A335381_2_05A33538
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A30D001_2_05A30D00
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A34D191_2_05A34D19
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A371681_2_05A37168
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A371781_2_05A37178
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A339781_2_05A33978
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A321401_2_05A32140
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A34D471_2_05A34D47
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A321501_2_05A32150
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A35CC81_2_05A35CC8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A35CD81_2_05A35CD8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A374261_2_05A37426
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A374281_2_05A37428
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A32C5C1_2_05A32C5C
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A36BA81_2_05A36BA8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A36BB81_2_05A36BB8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A36F301_2_05A36F30
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A33F001_2_05A33F00
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A36F401_2_05A36F40
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A3AB581_2_05A3AB58
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 8_2_003C9AB88_2_003C9AB8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 8_2_003CA9ED8_2_003CA9ED
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_00FFA9ED9_2_00FFA9ED
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_00FF9AB89_2_00FF9AB8
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011DF7109_2_011DF710
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D97309_2_011D9730
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D13B09_2_011D13B0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D97F09_2_011D97F0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D76C09_2_011D76C0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D39109_2_011D3910
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D49309_2_011D4930
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011DF4F09_2_011DF4F0
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_011D13509_2_011D1350
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_0160B4589_2_0160B458
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 9_2_0160D7D89_2_0160D7D8
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.274774568.000000000BC10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.274774568.000000000BC10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.262788925.0000000002680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMjCdOUgqVOqmbEXbdGKMZSlTlDFcgvW.exe4 vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.274319902.000000000BB10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260603790.000000000012A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.273291049.0000000005A40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000008.00000002.259155609.000000000046A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.506552940.0000000001A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000009.00000000.259895654.000000000109A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.502791003.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameMjCdOUgqVOqmbEXbdGKMZSlTlDFcgvW.exe4 vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.512474382.0000000006D40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exe, 00000009.00000002.504013256.00000000014F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs AWB-DRAFT-D061620.exe
              Source: AWB-DRAFT-D061620.exeBinary or memory string: OriginalFilenamec vs AWB-DRAFT-D061620.exe
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@8/5@1/1
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile created: C:\Users\user\AppData\Roaming\ulnbLqaJFZmS.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeMutant created: \Sessions\1\BaseNamedObjects\aHxfIBeeyGGuQHAYGHX
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9672.tmpJump to behavior
              Source: AWB-DRAFT-D061620.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[purchase] SET [sup_id] = @sup_id, [item_id] = @item_id, [cost_price] = @cost_price, [quantity] = @quantity, [unit] = @unit, [entry_date] = @entry_date, [selling_price] = @selling_price WHERE (([purchase_id] = @Original_purchase_id) AND ([sup_id] = @Original_sup_id) AND ([item_id] = @Original_item_id) AND ([cost_price] = @Original_cost_price) AND ([quantity] = @Original_quantity) AND ([unit] = @Original_unit) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_selling_price = 1 AND [selling_price] IS NULL) OR ([selling_price] = @Original_selling_price)));
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[supplier] SET [sup_address] = @sup_address, [sup_phone] = @sup_phone, [entry_date] = @entry_date, [purchase_id] = @purchase_id WHERE (([sup_id] = @Original_sup_id) AND ((@IsNull_sup_address = 1 AND [sup_address] IS NULL) OR ([sup_address] = @Original_sup_address)) AND ((@IsNull_sup_phone = 1 AND [sup_phone] IS NULL) OR ([sup_phone] = @Original_sup_phone)) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_purchase_id = 1 AND [purchase_id] IS NULL) OR ([purchase_id] = @Original_purchase_id)));
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[supplier] ([sup_address], [sup_phone], [entry_date], [purchase_id]) VALUES (@sup_address, @sup_phone, @entry_date, @purchase_id);
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[sale] SET [cus_id] = @cus_id, [item_id] = @item_id, [quantity] = @quantity, [date] = @date, [total_price] = @total_price, [selling_price] = @selling_price WHERE (([sale_id] = @Original_sale_id) AND ([cus_id] = @Original_cus_id) AND ([item_id] = @Original_item_id) AND ([quantity] = @Original_quantity) AND ([date] = @Original_date) AND ([total_price] = @Original_total_price) AND ((@IsNull_selling_price = 1 AND [selling_price] IS NULL) OR ([selling_price] = @Original_selling_price)));
              Source: AWB-DRAFT-D061620.exeBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date]) VALUES (@item_name, @quantity, @price, @date); SELECT item_id,
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[purchase] ([sup_id], [item_id], [cost_price], [quantity], [unit], [entry_date], [selling_price]) VALUES (@sup_id, @item_id, @cost_price, @quantity, @unit, @entry_date, @selling_price);
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[sale] SET [cus_id] = @cus_id, [item_id] = @item_id, [quantity] = @quantity, [selling_price] = @selling_price, [date] = @date WHERE (([sale_id] = @Original_sale_id) AND ([cus_id] = @Original_cus_id) AND ([item_id] = @Original_item_id) AND ([quantity] = @Original_quantity) AND ([selling_price] = @Original_selling_price) AND ([date] = @Original_date));
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[supplier] ([sup_address], [sup_phone], [entry_date], [sup_name]) VALUES (@sup_address, @sup_phone, @entry_date, @sup_name);
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date]) VALUES (@item_name, @quantity, @price, @date);
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[item] SET [item_name] = @item_name, [quantity] = @quantity, [price] = @price, [date] = @date WHERE (([item_id] = @Original_item_id) AND ([item_name] = @Original_item_name) AND ([quantity] = @Original_quantity) AND ([price] = @Original_price) AND ([date] = @Original_date));
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[sale] ([cus_id], [item_id], [quantity], [selling_price], [date]) VALUES (@cus_id, @item_id, @quantity, @selling_price, @date);
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date], [selling_price]) VALUES (@item_name, @quantity, @price, @date, @selling_price);
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[customer] ([cus_name], [cus_phone], [cus_address], [entry_date]) VALUES (@cus_name, @cus_phone, @cus_address, @entry_date);
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.260502161.0000000000082000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000008.00000002.259059950.00000000003C2000.00000002.00020000.sdmp, AWB-DRAFT-D061620.exe, 00000009.00000000.259804189.0000000000FF2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[supplier] SET [sup_address] = @sup_address, [sup_phone] = @sup_phone, [entry_date] = @entry_date, [sup_name] = @sup_name WHERE (([sup_id] = @Original_sup_id) AND ((@IsNull_sup_address = 1 AND [sup_address] IS NULL) OR ([sup_address] = @Original_sup_address)) AND ((@IsNull_sup_phone = 1 AND [sup_phone] IS NULL) OR ([sup_phone] = @Original_sup_phone)) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_sup_name = 1 AND [sup_name] IS NULL) OR ([sup_name] = @Original_sup_name)));
              Source: AWB-DRAFT-D061620.exeReversingLabs: Detection: 14%
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile read: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe:Zone.IdentifierJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe 'C:\Users\user\Desktop\AWB-DRAFT-D061620.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ulnbLqaJFZmS' /XML 'C:\Users\user\AppData\Local\Temp\tmp9672.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe {path}
              Source: unknownProcess created: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe {path}
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ulnbLqaJFZmS' /XML 'C:\Users\user\AppData\Local\Temp\tmp9672.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess created: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess created: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: AWB-DRAFT-D061620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: AWB-DRAFT-D061620.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A33838 pushad ; iretd 1_2_05A33839
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeCode function: 1_2_05A303F4 push cs; ret 1_2_05A303F5
              Source: initial sampleStatic PE information: section name: .text entropy: 7.24279114801
              Source: initial sampleStatic PE information: section name: .text entropy: 7.24279114801
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile created: C:\Users\user\AppData\Roaming\ulnbLqaJFZmS.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ulnbLqaJFZmS' /XML 'C:\Users\user\AppData\Local\Temp\tmp9672.tmp'
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: Process Memory Space: AWB-DRAFT-D061620.exe PID: 6508, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.262693071.000000000266F000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: AWB-DRAFT-D061620.exe, 00000001.00000002.262693071.000000000266F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239907Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239750Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239657Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239547Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239407Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239297Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239203Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239094Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 239000Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238907Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238750Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238657Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238547Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238453Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238344Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238203Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238094Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 238000Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237907Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237750Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237657Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237547Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237453Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237203Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237094Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 237000Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236907Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236750Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236657Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236547Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236407Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236297Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236203Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 236047Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235953Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235844Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235703Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235594Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235453Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235344Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235250Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235157Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 235047Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234907Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234797Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234703Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234594Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234500Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234407Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234250Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234157Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 234047Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233953Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233844Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233703Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233594Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233500Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233407Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233250Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233157Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 233047Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 232907Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 232797Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 232703Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 232594Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 232453Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exeThread delayed: delay time: 232344Jump to behavior
              Source: C:\Users\user\Desktop\AWB-DRAFT-D061620.exe