Loading ...

Play interactive tourEdit tour

Analysis Report .exe

Overview

General Information

Sample Name: .exe
Analysis ID:321141
MD5:4c0960a22153523b2626bff364cc7073
SHA1:8596c7561f3668d544ee5cf24ac19c1c9db6c616
SHA256:c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM_3
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • .exe (PID: 6444 cmdline: 'C:\Users\user\Desktop\ .exe' MD5: 4C0960A22153523B2626BFF364CC7073)
    • schtasks.exe (PID: 6604 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • .exe (PID: 6752 cmdline: {path} MD5: 4C0960A22153523B2626BFF364CC7073)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "LG3xhtQljnZve", "URL: ": "http://dIhLHGXisr.net", "To: ": "supervisor@persec.gr", "ByHost: ": "mail.persec.gr:587", "Password: ": "g71iC6Xh1Q24qt", "From: ": "supervisor@persec.gr"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
.exeMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\apQsEpT.exeMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2. .exe.510000.1.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            4.0. .exe.510000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            0.0. .exe.320000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            4.2. .exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2. .exe.320000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
              • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
              • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ .exe' , ParentImage: C:\Users\user\Desktop\ .exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', ProcessId: 6604
              Sigma detected: Suspicious Double ExtensionShow sources
              Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\ .exe, NewProcessName: C:\Users\user\Desktop\ .exe, OriginalFileName: C:\Users\user\Desktop\ .exe, ParentCommandLine: 'C:\Users\user\Desktop\ .exe' , ParentImage: C:\Users\user\Desktop\ .exe, ParentProcessId: 6444, ProcessCommandLine: {path}, ProcessId: 6752

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: .exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exeAvira: detection malicious, Label: TR/Kryptik.uduze
              Found malware configurationShow sources
              Source: .exe.6752.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "LG3xhtQljnZve", "URL: ": "http://dIhLHGXisr.net", "To: ": "supervisor@persec.gr", "ByHost: ": "mail.persec.gr:587", "Password: ": "g71iC6Xh1Q24qt", "From: ": "supervisor@persec.gr"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exeReversingLabs: Detection: 41%
              Multi AV Scanner detection for submitted fileShow sources
              Source: .exeVirustotal: Detection: 55%Perma Link
              Source: .exeReversingLabs: Detection: 41%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: .exeJoe Sandbox ML: detected
              Source: 4.2. .exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: global trafficTCP traffic: 192.168.2.3:49746 -> 85.25.186.211:587
              Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
              Source: global trafficTCP traffic: 192.168.2.3:49746 -> 85.25.186.211:587
              Source: unknownDNS traffic detected: queries for: mail.persec.gr
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://GMgRDJ.com
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: .exe, 00000004.00000002.483465380.0000000006570000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://dIhLHGXisr.ne
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://dIhLHGXisr.net
              Source: .exe, 00000004.00000003.432962878.0000000000994000.00000004.00000001.sdmpString found in binary or memory: http://dIhLHGXisr.net1-5-21-3853321935-2125563209-4053062332-1002_Classes
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://mail.persec.gr
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://persec.gr
              Source: .exe, 00000000.00000002.227280957.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E4085C SetWindowsHookExW 0000000D,00000000,?,?4_2_00E4085C
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\ .exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\ .exeJump to behavior
              Source: C:\Users\user\Desktop\ .exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_025F04680_2_025F0468
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_025F32510_2_025F3251
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_025F17920_2_025F1792
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_027228AC0_2_027228AC
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_027228A00_2_027228A0
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_027214580_2_02721458
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_02721E100_2_02721E10
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_02721E020_2_02721E02
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_02723C900_2_02723C90
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E068784_2_00E06878
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E061404_2_00E06140
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E036644_2_00E03664
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E05B084_2_00E05B08
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E10C584_2_00E10C58
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E108184_2_00E10818
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E135C04_2_00E135C0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E1A6384_2_00E1A638
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E1C9A04_2_00E1C9A0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E1CD784_2_00E1CD78
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E172B84_2_00E172B8
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E12BE84_2_00E12BE8
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E2D0D94_2_00E2D0D9
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E299D84_2_00E299D8
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E236C04_2_00E236C0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E22E304_2_00E22E30
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E214084_2_00E21408
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E2ABA04_2_00E2ABA0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E486804_2_00E48680
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E4C3B04_2_00E4C3B0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E413684_2_00E41368
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E23A904_2_00E23A90
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E200404_2_00E20040
              Source: .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: apQsEpT.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: .exeBinary or memory string: OriginalFilename vs .exe
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKHMZrpfhVHbupBTDgZUuRpVOwPEewuQgjBGfHK.exe4 vs .exe
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename-^lQ.exe2 vs .exe
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs .exe
              Source: .exe, 00000000.00000002.229849312.00000000052D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs .exe
              Source: .exe, 00000000.00000002.229849312.00000000052D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs .exe
              Source: .exe, 00000000.00000002.229717040.00000000051D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs .exe
              Source: .exe, 00000000.00000002.233680197.000000000D840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs .exe
              Source: .exeBinary or memory string: OriginalFilename vs .exe
              Source: .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKHMZrpfhVHbupBTDgZUuRpVOwPEewuQgjBGfHK.exe4 vs .exe
              Source: .exe, 00000004.00000002.475414380.0000000000512000.00000002.00020000.sdmpBinary or memory string: OriginalFilename-^lQ.exe2 vs .exe
              Source: .exe, 00000004.00000002.483118570.0000000005C40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs .exe
              Source: .exe, 00000004.00000002.475845812.0000000000938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs .exe
              Source: .exe, 00000004.00000002.477070900.0000000000D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs .exe
              Source: .exeBinary or memory string: OriginalFilename-^lQ.exe2 vs .exe
              Source: .exe, type: SAMPLEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exe, type: DROPPEDMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 4.2. .exe.510000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 4.0. .exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.0. .exe.320000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.2. .exe.320000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: apQsEpT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@2/1
              Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Roaming\apQsEpT.exeJump to behavior
              Source: C:\Users\user\Desktop\ .exeMutant created: \Sessions\1\BaseNamedObjects\BrbtmaRrqYfXTg
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
              Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Local\Temp\tmp88EB.tmpJump to behavior
              Source: .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\ .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: .exeVirustotal: Detection: 55%
              Source: .exeReversingLabs: Detection: 41%
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Users\user\Desktop\ .exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ .exe 'C:\Users\user\Desktop\ .exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\ .exe {path}
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Users\user\Desktop\ .exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\ .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: .exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E0B55F push edi; retn 0000h4_2_00E0B561
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E2811A push 8BFFFFFFh; retf 4_2_00E28120
              Source: initial sampleStatic PE information: section name: .text entropy: 7.8624495092
              Source: initial sampleStatic PE information: section name: .text entropy: 7.8624495092
              Source: C:\Users\user\Desktop\ .exeFile created: \ .exeJump to behavior
              Source: C:\Users\user\Desktop\ .exeFile created: \ .exeJump to behavior
              Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Roaming\apQsEpT.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
              Source: C:\Users\user\Desktop\ .exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .exe PID: 6444, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\ .exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\ .exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\ .exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\ .exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\ .exeWindow / User API: threadDelayed 777Jump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 6568Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 6448Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 6468Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7020Thread sleep count: 93 > 30Jump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7020Thread sleep count: 777 > 30Jump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -59314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -58406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -87000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -57594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -57314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -56500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -83721s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -83109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -54906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -54500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -54314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -78750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -76500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -50814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -50094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -49220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -73500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -47500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -47314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -46814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -46594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -40500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -39594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -37000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -35220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -50109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -33220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -32000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -31094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -30906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -30720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -39471s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34221s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -75750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -49406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -47406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -70500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -40406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -39500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -37814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -37594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -35406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\ .exeLast function: Thread delayed
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: .exe, 00000004.00000002.476639062.0000000000B42000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\ .exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E00A70 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,4_2_00E00A70
              Source: C:\Users\user\Desktop\ .exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ .exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Users\user\Desktop\ .exe {path}Jump to behavior
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Progmanlock