Loading ...

Play interactive tourEdit tour

Analysis Report AWB-18267638920511_ES.exe

Overview

General Information

Sample Name:AWB-18267638920511_ES.exe
Analysis ID:323615
MD5:8b7f30a440fcc0b4b4ea690ecbfff43e
SHA1:b3c91697ef02a5d357849e6358d825fdab37a69e
SHA256:b437404019d38740807ee024fce54ac262690c6bcc59e893b7d8ca4392e7465a
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • AWB-18267638920511_ES.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\AWB-18267638920511_ES.exe' MD5: 8B7F30A440FCC0B4B4EA690ECBFFF43E)
    • schtasks.exe (PID: 5944 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "RrY9j3ju7QQ", "URL: ": "http://51Rg6ceg1VdsK.net", "To: ": "winwinner151@gmail.com", "ByHost: ": "mail.talleresgenerauto.es:587", "Password: ": "S2vtG9cNKv", "From: ": "chapaypintura@talleresgenerauto.es"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.AWB-18267638920511_ES.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\AWB-18267638920511_ES.exe' , ParentImage: C:\Users\user\Desktop\AWB-18267638920511_ES.exe, ParentProcessId: 3984, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp', ProcessId: 5944

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: AWB-18267638920511_ES.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\tGjZeZC.exeAvira: detection malicious, Label: TR/AD.AgentTesla.bldep
              Found malware configurationShow sources
              Source: AWB-18267638920511_ES.exe.3728.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "RrY9j3ju7QQ", "URL: ": "http://51Rg6ceg1VdsK.net", "To: ": "winwinner151@gmail.com", "ByHost: ": "mail.talleresgenerauto.es:587", "Password: ": "S2vtG9cNKv", "From: ": "chapaypintura@talleresgenerauto.es"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\tGjZeZC.exeReversingLabs: Detection: 75%
              Multi AV Scanner detection for submitted fileShow sources
              Source: AWB-18267638920511_ES.exeReversingLabs: Detection: 75%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\tGjZeZC.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: AWB-18267638920511_ES.exeJoe Sandbox ML: detected
              Source: 3.2.AWB-18267638920511_ES.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 4x nop then jmp 078878B5h0_2_07886ADC
              Source: global trafficTCP traffic: 192.168.2.3:49740 -> 217.61.130.138:587
              Source: Joe Sandbox ViewASN Name: COMVIVE-ASSeville-SpainES COMVIVE-ASSeville-SpainES
              Source: global trafficTCP traffic: 192.168.2.3:49740 -> 217.61.130.138:587
              Source: unknownDNS traffic detected: queries for: mail.talleresgenerauto.es
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.475259720.0000000002EFB000.00000004.00000001.sdmpString found in binary or memory: http://51Rg6ceg1VdsK.net
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://LVvtpY.com
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480536913.0000000006835000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpString found in binary or memory: http://mail.talleresgenerauto.es
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpString found in binary or memory: http://talleresgenerauto.es
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_00DC8E4C0_2_00DC8E4C
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0169C5840_2_0169C584
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0169E9400_2_0169E940
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0169E9500_2_0169E950
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_07886ADC0_2_07886ADC
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078827F00_2_078827F0
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078805480_2_07880548
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078811600_2_07881160
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078808900_2_07880890
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078A6CD10_2_078A6CD1
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078A30490_2_078A3049
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_00A98E4C3_2_00A98E4C
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014CC5803_2_014CC580
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C06683_2_014C0668
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C54E83_2_014C54E8
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C19303_2_014C1930
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014CD8003_2_014CD800
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C18803_2_014C1880
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D847A03_2_02D847A0
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D847903_2_02D84790
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D8D8303_2_02D8D830
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenoRRazZkMXYaGjuLntkWympaWRqKPbhkCKJI.exe4 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamel0 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.228122371.0000000007780000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.228736476.0000000009F10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenoRRazZkMXYaGjuLntkWympaWRqKPbhkCKJI.exe4 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000000.221415344.0000000000B14000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamel0 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474027449.00000000012D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.471074944.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474149731.00000000014A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exeBinary or memory string: OriginalFilenamel0 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: tGjZeZC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@2/1
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile created: C:\Users\user\AppData\Roaming\tGjZeZC.exeJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeMutant created: \Sessions\1\BaseNamedObjects\RgLvAtUuBe
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA7E.tmpJump to behavior
              Source: AWB-18267638920511_ES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: AWB-18267638920511_ES.exeReversingLabs: Detection: 75%
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Users\user\Desktop\AWB-18267638920511_ES.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe 'C:\Users\user\Desktop\AWB-18267638920511_ES.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe {path}
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: AWB-18267638920511_ES.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: AWB-18267638920511_ES.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0788AFAF push dword ptr [ebx+ebp-75h]; iretd 0_2_0788AFD5
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0788B0C5 push FFFFFF8Bh; iretd 0_2_0788B0C7
              Source: initial sampleStatic PE information: section name: .text entropy: 7.65240635484
              Source: initial sampleStatic PE information: section name: .text entropy: 7.65240635484
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile created: C:\Users\user\AppData\Roaming\tGjZeZC.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3984, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D841AB rdtsc 3_2_02D841AB
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 528Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 3984Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 911Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 8947Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 5648Thread sleep time: -8301034833169293s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 2592Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 4812Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 3412Thread sleep time: -14757395258967632s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 6012Thread sleep count: 911 > 30Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 6012Thread sleep count: 8947 > 30Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.222592845.00000000014C7000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.222592845.00000000014C7000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMNK_8XREWin32_VideoControllerXNZ5D6VYVideoController120060621000000.000000-00002089649display.infMSBDABO4KPY2UPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsSL2GOE6C
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D841AB rdtsc 3_2_02D841AB
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeMemory written: C:\Users\user\Desktop\AWB-18267638920511_ES.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe {path}Jump to behavior
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Users\user\Desktop\AWB-18267638920511_ES.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Users\user\Desktop\AWB-18267638920511_ES.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.224015893.000000000449F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3728, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: 3.2.AWB-18267638920511_ES.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3728, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.224015893.000000000449F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3728, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: 3.2.AWB-18267638920511_ES.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation311Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion24Credentials in Registry1Security Software Discovery431Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion24SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 323615 Sample: AWB-18267638920511_ES.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 9 other signatures 2->35 7 AWB-18267638920511_ES.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\tGjZeZC.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\Temp\tmpA7E.tmp, XML 7->21 dropped 23 C:\Users\...\AWB-18267638920511_ES.exe.log, ASCII 7->23 dropped 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Injects a PE file into a foreign processes 7->43 11 AWB-18267638920511_ES.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 talleresgenerauto.es 217.61.130.138, 49740, 587 COMVIVE-ASSeville-SpainES Spain 11->25 27 mail.talleresgenerauto.es 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              AWB-18267638920511_ES.exe76%ReversingLabsByteCode-MSIL.Infostealer.Stelega
              AWB-18267638920511_ES.exe100%AviraTR/AD.AgentTesla.bldep
              AWB-18267638920511_ES.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\tGjZeZC.exe100%AviraTR/AD.AgentTesla.bldep
              C:\Users\user\AppData\Roaming\tGjZeZC.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\tGjZeZC.exe76%ReversingLabsByteCode-MSIL.Infostealer.Stelega

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.2.AWB-18267638920511_ES.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://LVvtpY.com0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://talleresgenerauto.es0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://51Rg6ceg1VdsK.net0%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://mail.talleresgenerauto.es0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              talleresgenerauto.es
              217.61.130.138
              truetrue
                unknown
                mail.talleresgenerauto.es
                unknown
                unknowntrue
                  unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://www.apache.org/licenses/LICENSE-2.0AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                    high
                    http://www.fontbureau.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                        high
                        http://DynDns.comDynDNSAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://sectigo.com/CPS0AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/?AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bTheAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://LVvtpY.comAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                            high
                            http://www.tiro.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designersAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              high
                              http://www.goodfont.co.krAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://talleresgenerauto.esAWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.carterandcone.comlAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://api.ipify.orgGETMozilla/5.0AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.sajatypeworks.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://51Rg6ceg1VdsK.netAWB-18267638920511_ES.exe, 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.475259720.0000000002EFB000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              http://www.typography.netDAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                high
                                http://www.founder.com.cn/cn/cTheAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htmAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cnAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                  high
                                  https://api.telegram.org/bot%telegramapi%/AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.fonts.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sandoll.co.krAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleaseAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://mail.talleresgenerauto.esAWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.zhongyicts.com.cnAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAWB-18267638920511_ES.exe, 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sakkal.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                                            high
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipAWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            217.61.130.138
                                            unknownSpain
                                            39020COMVIVE-ASSeville-SpainEStrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:323615
                                            Start date:27.11.2020
                                            Start time:08:29:16
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 7m 11s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:AWB-18267638920511_ES.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:23
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@6/3@2/1
                                            EGA Information:Failed
                                            HDC Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 95%
                                            • Number of executed functions: 53
                                            • Number of non-executed functions: 9
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.147.198.201, 104.43.139.144, 51.104.139.180, 92.122.144.200, 20.54.26.129, 205.185.216.10, 205.185.216.42, 92.122.213.194, 92.122.213.247
                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323615/sample/AWB-18267638920511_ES.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:30:09API Interceptor789x Sleep call for process: AWB-18267638920511_ES.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            COMVIVE-ASSeville-SpainEScUnk2St74R.exeGet hashmaliciousBrowse
                                            • 217.61.130.106
                                            8UZQ3kv5fg.exeGet hashmaliciousBrowse
                                            • 217.61.130.106
                                            http://8068e-4812f.preview.sitejet.io/Get hashmaliciousBrowse
                                            • 217.61.130.111
                                            https://niw.academy/New/DocSigning.htmGet hashmaliciousBrowse
                                            • 185.50.196.212
                                            ATTACHMENT_092020_818717005.docGet hashmaliciousBrowse
                                            • 185.50.196.212
                                            DOC-9576850.docGet hashmaliciousBrowse
                                            • 217.61.130.34
                                            Soumissions 893963.docGet hashmaliciousBrowse
                                            • 217.61.130.34
                                            https://1349fk.com/admin/55rEgXThCrasXK9fnSPGet hashmaliciousBrowse
                                            • 217.61.130.34
                                            http://localesfavoritos.com/wp-admin/Document/Get hashmaliciousBrowse
                                            • 217.61.130.34
                                            https://portondeguadarrama.com/jss/ODGet hashmaliciousBrowse
                                            • 217.61.130.111
                                            script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exeGet hashmaliciousBrowse
                                            • 185.50.197.168
                                            SOC report 07 22 2020.docGet hashmaliciousBrowse
                                            • 185.50.196.201
                                            Form - Jul 22, 2020.docGet hashmaliciousBrowse
                                            • 185.50.196.201
                                            Form - Jul 22, 2020.docGet hashmaliciousBrowse
                                            • 185.50.196.201
                                            https://tutoriapro.com/storage/FILE/2f1rhht/Get hashmaliciousBrowse
                                            • 185.50.196.201
                                            https://contabilidaddecostes.com/todwll/?email=cynthia.hng@vodafone.comGet hashmaliciousBrowse
                                            • 185.50.199.194

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB-18267638920511_ES.exe.log
                                            Process:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1393
                                            Entropy (8bit):5.336387678668898
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84F0:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz4
                                            MD5:918F04BB59A8331CBEAD9305F6A98022
                                            SHA1:DC143AF1885A9FD5964AE0CD2C0C9248459D69FA
                                            SHA-256:89CAD35E7AB95E575A209A676E91D005B1E1342D172F9559CA47D9617A9DE6DB
                                            SHA-512:B31C671F3CAAE013679DF07D191AAC2902EC052313601715C1FA44D63925931F610089E02E5D405A5ED337809ED227B5C0A2B88C9F06234DA4EBA27B1446DD7A
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Temp\tmpA7E.tmp
                                            Process:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1640
                                            Entropy (8bit):5.192867902772148
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBDCtn:cbh47TlNQ//rydbz9I3YODOLNdq3xk
                                            MD5:AD32B7CBBF8CF25C353C52DDBC4ED48D
                                            SHA1:E5AA7D62DD5DE428785FBB74D993FAEB4346C67A
                                            SHA-256:3B4550E354423B8A098BCC6BA56FDB91825850BBE4B05809A9E56C386858F1C7
                                            SHA-512:A54D15894E3E82E6FF28D836FE953047E841DE287EA3B6C8B5907AF100C4EB9DA22D3E6E0309B1BB19FA87FBBAB5946AD395469409A5C8D7FCA2703BC2E9B4CF
                                            Malicious:true
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Roaming\tGjZeZC.exe
                                            Process:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):531456
                                            Entropy (8bit):7.6437799109521265
                                            Encrypted:false
                                            SSDEEP:12288:LfA7j4whhjZADjbOlv611wmRDa+Ze9jKxnnUOvYCGb7aOt8LFXDQI5jwmGfTgm:Lf4hjZUj0vzMDadmxn9vYLbB8Nk
                                            MD5:8B7F30A440FCC0B4B4EA690ECBFFF43E
                                            SHA1:B3C91697EF02A5D357849E6358D825FDAB37A69E
                                            SHA-256:B437404019D38740807EE024FCE54AC262690C6BCC59E893B7D8CA4392E7465A
                                            SHA-512:EAA52E8F3AF0F95B9E3AA54A4F4BBD259F926C400748A5F013EC24A51C3246911BF21DA46C3EC3BDDF42D45BBA382DFEA2052BF43BE94CA88A752D7E6BD3B41C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 76%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.._............................>0... ...@....@.. ....................................@................................../..W....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ 0......H.......P....5..............X`...........................................*".(.....*Vr...p.....r...p.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>...(g...(.....*:..(....(i....*...(....(T...(!...(U.....(......(A....*...(.......{C....(&.....(....o$.....{....(m....*....(.......(.......(.......{$....(.

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.6437799109521265
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:AWB-18267638920511_ES.exe
                                            File size:531456
                                            MD5:8b7f30a440fcc0b4b4ea690ecbfff43e
                                            SHA1:b3c91697ef02a5d357849e6358d825fdab37a69e
                                            SHA256:b437404019d38740807ee024fce54ac262690c6bcc59e893b7d8ca4392e7465a
                                            SHA512:eaa52e8f3af0f95b9e3aa54a4f4bbd259f926c400748a5f013ec24a51c3246911bf21da46c3ec3bddf42d45bba382dfea2052bf43be94ca88a752d7e6bd3b41c
                                            SSDEEP:12288:LfA7j4whhjZADjbOlv611wmRDa+Ze9jKxnnUOvYCGb7aOt8LFXDQI5jwmGfTgm:Lf4hjZUj0vzMDadmxn9vYLbB8Nk
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.._............................>0... ...@....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x48303e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x5FBE0767 [Wed Nov 25 07:27:35 2020 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x82fe40x57.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x590.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x810440x81200False0.78805474044data7.65240635484IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x840000x5900x600False0.414713541667data4.03754982361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x860000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x840a00x304data
                                            RT_MANIFEST0x843a40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2019
                                            Assembly Version1.0.0.0
                                            InternalNamel.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNameSnakeGame
                                            ProductVersion1.0.0.0
                                            FileDescriptionSnakeGame
                                            OriginalFilenamel.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 27, 2020 08:31:51.072638988 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.125221014 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.125420094 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.319319963 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.319869041 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.372632027 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.373213053 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.430037022 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.483082056 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.505405903 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.598007917 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604352951 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604420900 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604475021 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604501963 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604682922 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.604738951 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.606837034 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.654958963 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.658413887 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.710905075 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.711494923 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.764344931 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.972313881 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.025181055 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.027930975 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.083364964 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.084773064 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.145201921 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.146691084 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.199361086 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.199779034 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.292516947 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.300750971 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.301438093 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.353976011 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.355387926 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.355523109 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.356446981 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.357044935 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.407833099 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.407855988 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.408795118 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.409231901 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.417999029 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.467456102 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:32:07.520045042 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:32:07.520199060 CET49740587192.168.2.3217.61.130.138

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 27, 2020 08:30:00.449664116 CET6010053192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:00.485167027 CET53601008.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:01.289424896 CET5319553192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:01.324779987 CET53531958.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:01.946873903 CET5014153192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:01.982410908 CET53501418.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:02.913254976 CET5302353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:02.940493107 CET53530238.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:03.732403994 CET4956353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:03.767829895 CET53495638.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:04.507401943 CET5135253192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:04.534513950 CET53513528.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:06.451210022 CET5934953192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:06.478133917 CET53593498.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:07.156336069 CET5708453192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:07.183568001 CET53570848.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:07.821103096 CET5882353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:07.848185062 CET53588238.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:29.337064981 CET5756853192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:29.364278078 CET53575688.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:32.922466040 CET5054053192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:32.959696054 CET53505408.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:46.489939928 CET5436653192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:46.542834044 CET53543668.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:49.497139931 CET5303453192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:49.524254084 CET53530348.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:03.385047913 CET5776253192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:03.412233114 CET53577628.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:07.441884995 CET5543553192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:07.478748083 CET53554358.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:38.730645895 CET5071353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:38.757855892 CET53507138.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:40.019184113 CET5613253192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:40.054466009 CET53561328.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:50.802264929 CET5898753192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:50.865437984 CET53589878.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:50.888202906 CET5657953192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:50.977401972 CET53565798.8.8.8192.168.2.3

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 27, 2020 08:31:50.802264929 CET192.168.2.38.8.8.80x4af0Standard query (0)mail.talleresgenerauto.esA (IP address)IN (0x0001)
                                            Nov 27, 2020 08:31:50.888202906 CET192.168.2.38.8.8.80x6d21Standard query (0)mail.talleresgenerauto.esA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 27, 2020 08:31:50.865437984 CET8.8.8.8192.168.2.30x4af0No error (0)mail.talleresgenerauto.estalleresgenerauto.esCNAME (Canonical name)IN (0x0001)
                                            Nov 27, 2020 08:31:50.865437984 CET8.8.8.8192.168.2.30x4af0No error (0)talleresgenerauto.es217.61.130.138A (IP address)IN (0x0001)
                                            Nov 27, 2020 08:31:50.977401972 CET8.8.8.8192.168.2.30x6d21No error (0)mail.talleresgenerauto.estalleresgenerauto.esCNAME (Canonical name)IN (0x0001)
                                            Nov 27, 2020 08:31:50.977401972 CET8.8.8.8192.168.2.30x6d21No error (0)talleresgenerauto.es217.61.130.138A (IP address)IN (0x0001)

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Nov 27, 2020 08:31:51.319319963 CET58749740217.61.130.138192.168.2.3220-pantallazoazul.zonasprivadasdns.com ESMTP Exim 4.93 #2 Fri, 27 Nov 2020 08:31:51 +0100
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            Nov 27, 2020 08:31:51.319869041 CET49740587192.168.2.3217.61.130.138EHLO 745773
                                            Nov 27, 2020 08:31:51.372632027 CET58749740217.61.130.138192.168.2.3250-pantallazoazul.zonasprivadasdns.com Hello 745773 [84.17.52.25]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            Nov 27, 2020 08:31:51.373213053 CET49740587192.168.2.3217.61.130.138STARTTLS
                                            Nov 27, 2020 08:31:51.430037022 CET58749740217.61.130.138192.168.2.3220 TLS go ahead

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:08:30:04
                                            Start date:27/11/2020
                                            Path:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\AWB-18267638920511_ES.exe'
                                            Imagebase:0xdc0000
                                            File size:531456 bytes
                                            MD5 hash:8B7F30A440FCC0B4B4EA690ECBFFF43E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.224015893.000000000449F000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Start time:08:30:11
                                            Start date:27/11/2020
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
                                            Imagebase:0x11c0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:08:30:11
                                            Start date:27/11/2020
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6b2800000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:08:30:12
                                            Start date:27/11/2020
                                            Path:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0xa90000
                                            File size:531456 bytes
                                            MD5 hash:8B7F30A440FCC0B4B4EA690ECBFFF43E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Executed Functions

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ($g$j$j
                                              • API String ID: 0-3767425927
                                              • Opcode ID: 778efcc74e61113b93cdd2a56e8613778456470943465e86deafa5c039624cad
                                              • Instruction ID: 53dcd6bdb88fa9d2741cc6a018f6e1f673bcf464aaf381ada8301b8a967fdb1a
                                              • Opcode Fuzzy Hash: 778efcc74e61113b93cdd2a56e8613778456470943465e86deafa5c039624cad
                                              • Instruction Fuzzy Hash: E382D0B0D4522DCFDBA4EF64C944BEDB6B1AB5A308F1081EAC01DA7291EB745AC4CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228205999.00000000078A0000.00000040.00000001.sdmp, Offset: 078A0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: e$o
                                              • API String ID: 0-2646101430
                                              • Opcode ID: 667583f25f5164647442d18a540b5286521d18af999911f54fd5d1a5bb4dab3f
                                              • Instruction ID: 6b9e7c9874132b629e56a61e9031e1a57adb53f275a7dbe9c288543018916c46
                                              • Opcode Fuzzy Hash: 667583f25f5164647442d18a540b5286521d18af999911f54fd5d1a5bb4dab3f
                                              • Instruction Fuzzy Hash: 37D18DB0E15219DFEB14CFA5C8487EDBBB1FB66309F1450AAC009E7295EB780988CF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0169BAC8
                                              • GetCurrentThread.KERNEL32 ref: 0169BB05
                                              • GetCurrentProcess.KERNEL32 ref: 0169BB42
                                              • GetCurrentThreadId.KERNEL32 ref: 0169BB9B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 74c9ca0b96b9ef150ee5fede05897c6e2cf37f4f6496904994c28dc6d646bb4d
                                              • Instruction ID: ae92b551352b39621526fe4ad92ba3b13f5572515f2c3907e9440e4aa1867972
                                              • Opcode Fuzzy Hash: 74c9ca0b96b9ef150ee5fede05897c6e2cf37f4f6496904994c28dc6d646bb4d
                                              • Instruction Fuzzy Hash: C65174B09013488FDB14DFA9DA88B9EBBF4EF8A314F248459E519A3394D7349984CF25
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0169BAC8
                                              • GetCurrentThread.KERNEL32 ref: 0169BB05
                                              • GetCurrentProcess.KERNEL32 ref: 0169BB42
                                              • GetCurrentThreadId.KERNEL32 ref: 0169BB9B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 894bf80a7c458c32afc22c5cc2cc58b7a5106e920471efca5a5636e98bf01e50
                                              • Instruction ID: 24992381e516fe3fa79b7d0c180286631cd3f93c1e8260a4b4961e05c855f724
                                              • Opcode Fuzzy Hash: 894bf80a7c458c32afc22c5cc2cc58b7a5106e920471efca5a5636e98bf01e50
                                              • Instruction Fuzzy Hash: FE5164B09013098FDB14DFAAD988B9EBBF4EF8A314F208459E119A3354D734A884CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 016999B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 1c8b5d7987633726e22dd1ce8f84bf733979bd66ea3c2a74407bf9ee697ad5e7
                                              • Instruction ID: 09564fa766bea3a82e59eec325d9ca702e6020e8246db3c254699eaf4002c783
                                              • Opcode Fuzzy Hash: 1c8b5d7987633726e22dd1ce8f84bf733979bd66ea3c2a74407bf9ee697ad5e7
                                              • Instruction Fuzzy Hash: 0D712470A00B058FDB64DF2AD94475ABBF9BF88308F10892ED54ADBB50D735E845CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 07887AE3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: d1eb5602c2111308bdc1daafe5bd720df2567e6fd86cfded7d867572a6be7fc8
                                              • Instruction ID: 7900c11ad9f4a807458c55b1217203211c67b786172e5050b2d26b4a91fd3af2
                                              • Opcode Fuzzy Hash: d1eb5602c2111308bdc1daafe5bd720df2567e6fd86cfded7d867572a6be7fc8
                                              • Instruction Fuzzy Hash: E45117B1900319DFDB60DF99C880BDDBBB2BF99314F15809AE508B7250DB355A88CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 07887AE3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: e5eb61f3edd850b170f50e181c8367b4faac7d31d731ad7918c1ac1253e68ec9
                                              • Instruction ID: 36887a2849b0c6a442cfe172e9fb942361cd5f8d194b8e4cbffc2cec2bc74b87
                                              • Opcode Fuzzy Hash: e5eb61f3edd850b170f50e181c8367b4faac7d31d731ad7918c1ac1253e68ec9
                                              • Instruction Fuzzy Hash: 4B5116B1900319DFDB60DF95C880BDDBBB2BF99314F15809AE508B7250DB355A88CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016955F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: f2f23cb7036ea2d2063dc535df9f06cba96f792540cc0638999db1623f8073d1
                                              • Instruction ID: 2317a027d16b52b34510373856203bb4ffb5b0871d63d179210e325e8d6f1dc9
                                              • Opcode Fuzzy Hash: f2f23cb7036ea2d2063dc535df9f06cba96f792540cc0638999db1623f8073d1
                                              • Instruction Fuzzy Hash: E5510271C00218CFDB20DFA9C9847DEBBF5BF49308F20806AD519AB251D775594ACFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016955F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: ce2a7148163596a43c36a5e5e8a3b92ca9d077ce547c2f60597af97c79dbfa20
                                              • Instruction ID: 059822614ef84220333b620ccbb1c23caee7b7145508a0179b900d0b7a612d8f
                                              • Opcode Fuzzy Hash: ce2a7148163596a43c36a5e5e8a3b92ca9d077ce547c2f60597af97c79dbfa20
                                              • Instruction Fuzzy Hash: 1941F171C0421CCFDF24DFA9C984B9EBBB5BF89304F20806AD509AB251DB756946CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228205999.00000000078A0000.00000040.00000001.sdmp, Offset: 078A0000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: af3aaa6cf1ceeaa45463ad358e57e5a2cb939c7083084b13f94ebe482393b156
                                              • Instruction ID: b4442ed8e98b80308680c88e57c5c85e987523d35ce2134d0e627ee3a0ddf5ef
                                              • Opcode Fuzzy Hash: af3aaa6cf1ceeaa45463ad358e57e5a2cb939c7083084b13f94ebe482393b156
                                              • Instruction Fuzzy Hash: E13144B0D00249EFEB15CFA8C88579EBBF1EB09314F10812AE915E7380E7749846CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228205999.00000000078A0000.00000040.00000001.sdmp, Offset: 078A0000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 2740a9c818ec0455b233846f27dc78d3547a2cfeb3d6744f274cd890f6bac835
                                              • Instruction ID: 3c787354a6e7abac051584c27e74328df7b5ed69bdf8fed47db3840fa0b28c00
                                              • Opcode Fuzzy Hash: 2740a9c818ec0455b233846f27dc78d3547a2cfeb3d6744f274cd890f6bac835
                                              • Instruction Fuzzy Hash: AE3144B0D00249EFEB15CFA8C88579EBBF1BB09314F14852AE915E7380E7749886CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07887E9D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: d6017c2899ca27c9657fbe5569ed0b21983b14f8aa05aa538de50de51b66e919
                                              • Instruction ID: 73c98c9f5c193a65392036cb31a8990a2eb6f48e5c083da7b95c7aa25d6bc262
                                              • Opcode Fuzzy Hash: d6017c2899ca27c9657fbe5569ed0b21983b14f8aa05aa538de50de51b66e919
                                              • Instruction Fuzzy Hash: 972103B19003599FCB10DF9AC885BDEBBF5FB48324F10842AE918E3250D778A944CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07887E9D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 27d7852de679aba82f7d0fb9f26e63e6b0e8945c04f5b55864a94f6f8624689d
                                              • Instruction ID: 6ba0d74f1fe43fffc3a058c1b65a20a86cb3a2a46e25f774a08dea32a788385b
                                              • Opcode Fuzzy Hash: 27d7852de679aba82f7d0fb9f26e63e6b0e8945c04f5b55864a94f6f8624689d
                                              • Instruction Fuzzy Hash: 5721E4B59002599FCB10DF9AC985BDEBBF4FB48314F10852AE918E3250D778A944CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169BD17
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 0fd9a8c6d9518cc14c0000671a734a74cf2848e3102a3d6d42bd2b2bc89f1136
                                              • Instruction ID: c125cc45161eb2526450f90d4865028fdd0806c15b84b52888c42c8df39089e6
                                              • Opcode Fuzzy Hash: 0fd9a8c6d9518cc14c0000671a734a74cf2848e3102a3d6d42bd2b2bc89f1136
                                              • Instruction Fuzzy Hash: 2C21E4B5900208DFDB10CFA9D984AEEBBF4EB48324F14841AE914A3310C378A955CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169BD17
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 45ca8e68b953cdaf4630f5243103e03dbc1e52b0702077f4306394922fb44714
                                              • Instruction ID: 434b3a8f7d5ae60bf3dd10cfe389e9464b7d4288439cc74a42a78bb6c0aa3718
                                              • Opcode Fuzzy Hash: 45ca8e68b953cdaf4630f5243103e03dbc1e52b0702077f4306394922fb44714
                                              • Instruction Fuzzy Hash: BC21C4B59002489FDB10CFAAD984ADEBBF8EB48324F14841AE914A3310D378A955CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07887D17
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 7c96237d6ea5ad7bb01bde281a9f3ebd2704c53dbf008f31366f178b880b0342
                                              • Instruction ID: 34e0099bf8a5eab9907feec3d5f8e82fa6609c25d3f6ef05f5305fdeafdb3c80
                                              • Opcode Fuzzy Hash: 7c96237d6ea5ad7bb01bde281a9f3ebd2704c53dbf008f31366f178b880b0342
                                              • Instruction Fuzzy Hash: 0821F5B5900259DFCB10DF9AC884BDEFBF4FB48324F10842AE528A3240D374A555CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07887D17
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 640d4d960bba214b32cff057cf727f5956dcdefb7b71d48381d072a494d5d993
                                              • Instruction ID: eb434e968bc4cf90dec0010a77d11b4dcefb1110557eb210f2006511d9a426ce
                                              • Opcode Fuzzy Hash: 640d4d960bba214b32cff057cf727f5956dcdefb7b71d48381d072a494d5d993
                                              • Instruction Fuzzy Hash: F521E3B5900259DFCB10DF9AD884BDEFBF4FB48324F20842AE918A3250D378A555CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetThreadContext.KERNEL32(?,00000000), ref: 07887C4F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: e6af84393c09dfe93a218c0a9f3d8dc156d2b80213a7caadf88ba3c4cd25d5aa
                                              • Instruction ID: 377049fecba611d0d3ce978f81196816ed51c0778fd7a21af970380168ec80f2
                                              • Opcode Fuzzy Hash: e6af84393c09dfe93a218c0a9f3d8dc156d2b80213a7caadf88ba3c4cd25d5aa
                                              • Instruction Fuzzy Hash: 372138B1D0065A9FCB00DF9AC5847EEFBB4BB48224F24816AE418E3240D778A955CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetThreadContext.KERNEL32(?,00000000), ref: 07887C4F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 376042fd510b73db57ba7eac70397b5a4c287c5a357636fa31c3cba309fa4349
                                              • Instruction ID: f7fbf19a1abe061fc63b0cc7714fb1f84492dcf934c56b6b60fec3f66e679061
                                              • Opcode Fuzzy Hash: 376042fd510b73db57ba7eac70397b5a4c287c5a357636fa31c3cba309fa4349
                                              • Instruction Fuzzy Hash: DA2108B1D0061A9FCB10DF9AC9857DEFBF4BB48624F14812AE518A3340D778A9458FA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01699A31,00000800,00000000,00000000), ref: 01699C42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: b573a68925e297cf8ffee0e99ecb7ee09529785f82262bd59a3cee2cefe3e15c
                                              • Instruction ID: b183d06e79e74c76680a27a5b46c45efcd0d415244926eba578629162459a204
                                              • Opcode Fuzzy Hash: b573a68925e297cf8ffee0e99ecb7ee09529785f82262bd59a3cee2cefe3e15c
                                              • Instruction Fuzzy Hash: F91103B69042499FDB10DF9AD844ADEFBF8EB89324F14842EE515A7300C378A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01699A31,00000800,00000000,00000000), ref: 01699C42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: b1a255f02103a82871493d5a71617af86982c73e5b45988cd2a5a51a6bc90b6d
                                              • Instruction ID: 9a905e211666a5e827166c2ad0da4b6f8d322c605f2a63b90c74b96dc10a9c94
                                              • Opcode Fuzzy Hash: b1a255f02103a82871493d5a71617af86982c73e5b45988cd2a5a51a6bc90b6d
                                              • Instruction Fuzzy Hash: 2D11F3B6900249CFDB14CF9AD844ADEFBF4EB98324F15852EE529A7200C378A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07887DD3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: babf727764ca150114b5d93a25147b2e1c0fe7ed5bdea90f16c867935883025c
                                              • Instruction ID: 54049f9a61916e0d00d06c949561047d892e91b93752e0969a9bf1e8a6ee87a8
                                              • Opcode Fuzzy Hash: babf727764ca150114b5d93a25147b2e1c0fe7ed5bdea90f16c867935883025c
                                              • Instruction Fuzzy Hash: 621116B5800249DFCB10DF9AC884BDEFBF4FB58324F208419E528A7210D335A544CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07887DD3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 8ad0ed2bbd2dcdeeb703a6c1f4ef496f19d6a60e256f01116c778bf3b87f4f61
                                              • Instruction ID: 9feb39bfdd2a505f49992aad36711a527fd808a53d0b95fb8f029aef890774a7
                                              • Opcode Fuzzy Hash: 8ad0ed2bbd2dcdeeb703a6c1f4ef496f19d6a60e256f01116c778bf3b87f4f61
                                              • Instruction Fuzzy Hash: 9911E3B59002499FCB10DF9AC884BDEBBF4EB48324F208419E529A7210C775A544CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07888885
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: c8bc4083242888df3c1cca18ecc9393a02306956ce697580e77ac4960220ba86
                                              • Instruction ID: 6a480188ac7f0a2ddd093c961beedfb38713955bc3a73f1405f608aac50b9ec6
                                              • Opcode Fuzzy Hash: c8bc4083242888df3c1cca18ecc9393a02306956ce697580e77ac4960220ba86
                                              • Instruction Fuzzy Hash: C11103B58003499FCB60DF9AD984BDEBBF8EB59324F20845AE518B7200C374A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 016999B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: b049f38af85cabe66401b25efcfc3746ba025cf3f59577660015ec5feeb444ec
                                              • Instruction ID: a70d28cf38d71fc676b81e3d879e82cf0ed672d2b600ea3a8581f0ba9ef9c1b3
                                              • Opcode Fuzzy Hash: b049f38af85cabe66401b25efcfc3746ba025cf3f59577660015ec5feeb444ec
                                              • Instruction Fuzzy Hash: AC110FB5C002098FDB10CF9AC844BDEFBF8AB89328F14841AD529A7300D378A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07888885
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 42c0897c477623471fdff9689317058aead44391ef7089f8813b38d6bed14151
                                              • Instruction ID: 32694af96d26d5c3732c7d7c7f78ce5630e8e4b28a1f145309ceb455559f8b08
                                              • Opcode Fuzzy Hash: 42c0897c477623471fdff9689317058aead44391ef7089f8813b38d6bed14151
                                              • Instruction Fuzzy Hash: 611103B58003499FDB10DF99C885BDEBBF8EB59324F24885AE558A7200D379A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222650189.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ad9a9bf2366019319f637f1f97f264dfe9b375de6fafe2ba7960c75f740eb32
                                              • Instruction ID: 46d9baa51bd7c27151067f1f5ea8209a51a6a857a0e1a71aaf599ab1d86b0ba4
                                              • Opcode Fuzzy Hash: 5ad9a9bf2366019319f637f1f97f264dfe9b375de6fafe2ba7960c75f740eb32
                                              • Instruction Fuzzy Hash: 2021D6B5504280DFDF05DF94D9C0B2ABBB5FB88314F24866DEA494F246C33AD816CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222650189.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 68b0c1df70c58a47528e306c7109b130a68e748ad0fd6a09312f1b686c4ca905
                                              • Instruction ID: 9cdccabd3a349e027b4f6d5a683294d892ec9fa5e3561e3000e424320cdd6ea2
                                              • Opcode Fuzzy Hash: 68b0c1df70c58a47528e306c7109b130a68e748ad0fd6a09312f1b686c4ca905
                                              • Instruction Fuzzy Hash: 3121F5B1504240DFDB15DF54D9C4B2ABFB5FB88328F24896DEA054F246C336D856CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222669787.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96d945e12cb92e9b5a74e7845161a844edc744dc7508dd3d7b2cf39eb24d3f73
                                              • Instruction ID: efbe3bd51a4512ac6596d6e844fe725cd1e44884535dc2f1b1ca5966ef708ecb
                                              • Opcode Fuzzy Hash: 96d945e12cb92e9b5a74e7845161a844edc744dc7508dd3d7b2cf39eb24d3f73
                                              • Instruction Fuzzy Hash: 8821C871504240EFDB0ADF94DDC0B27BB65FB84328F24C66DEA094B386C776D846CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222669787.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb757c1be7616b16362eea09ea3bf1a8583a9e58e3888a422b68dd097bb5523d
                                              • Instruction ID: 94b8f4f924244b5901cdedf398f74b15b3dc32e976e29d755cb4b5d816a9bccc
                                              • Opcode Fuzzy Hash: cb757c1be7616b16362eea09ea3bf1a8583a9e58e3888a422b68dd097bb5523d
                                              • Instruction Fuzzy Hash: FD21C1B1604240DFDB1ADF94D9C0B27BB65EB84254F24C669E90A4B386C73AD847CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222669787.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9dc68f2e740132afb92a3049dc29a75e8a17a47ca0623fcd800c8fd963452b7a
                                              • Instruction ID: 65070cf6321ffc01f1a5b8a31a1446f5c60e6cc6514b3c3caf84cd3526e27bb7
                                              • Opcode Fuzzy Hash: 9dc68f2e740132afb92a3049dc29a75e8a17a47ca0623fcd800c8fd963452b7a
                                              • Instruction Fuzzy Hash: FA2192755093808FCB07CF64D990716BF71EB46214F28C6DAD8498B697C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222650189.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 915b1cc9285727c7c66ebaaea4b346aa1b0c242c952c6e540ef3e95bc218b3a6
                                              • Instruction ID: f7c0628b4907ea0b4e2e959c98f44f55c1af685b343dbf5cd6568c38ea3b5ef4
                                              • Opcode Fuzzy Hash: 915b1cc9285727c7c66ebaaea4b346aa1b0c242c952c6e540ef3e95bc218b3a6
                                              • Instruction Fuzzy Hash: 1F218C76404280DFCF06CF54D9C4B1ABF72FB88314F2886A9D9484E656C33AD466CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222650189.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                              • Instruction ID: f75d9eccb59aeee085b5ae59aaa9ab6c4bb9745d192c21c9e9542a7efa2da859
                                              • Opcode Fuzzy Hash: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                              • Instruction Fuzzy Hash: D011AF76404280CFCB12CF54D9C4B1ABF72FB84328F2486ADD9450B656C33AD45ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222669787.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
                                              • Instruction ID: ba6882511b9177822849d189e66f9c5cca340ac31713cf4daf529da48bb44d38
                                              • Opcode Fuzzy Hash: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
                                              • Instruction Fuzzy Hash: 8311BB75904280DFCB06CF98C9C0B16BBA1FB84224F28C6A9D9494B796C33AD44ACB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222650189.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cf315774b97affd5f3861d5e2f6f8848a7182dbccaa78fb8d87eb142b2c897e
                                              • Instruction ID: 5fdd9fa7508bcb238a92ae94a08341c605fd01f3d4c8320b62aaeb5746d32f9e
                                              • Opcode Fuzzy Hash: 0cf315774b97affd5f3861d5e2f6f8848a7182dbccaa78fb8d87eb142b2c897e
                                              • Instruction Fuzzy Hash: A40184714083449EE7205E69DC84766BFE8FF45668F18855EEF085E246C3789844C6B1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222650189.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b27923e4b790d7a4331e05682b77b5dfef39ad78ef49dd34ebf6b9c4546ec79c
                                              • Instruction ID: 682bf9c4508b071216d525f2ef5da5630766002e7b0460d681dccf1ff5ed2356
                                              • Opcode Fuzzy Hash: b27923e4b790d7a4331e05682b77b5dfef39ad78ef49dd34ebf6b9c4546ec79c
                                              • Instruction Fuzzy Hash: CFF012724082449FE7518E19DDC4B66FFA8EB41674F18C55EEE085F286C3799844CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228205999.00000000078A0000.00000040.00000001.sdmp, Offset: 078A0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 1d
                                              • API String ID: 0-3172118130
                                              • Opcode ID: 038caf03561754574e7b1b78cf16dded07482a9955e384323bbd5a854a073eac
                                              • Instruction ID: 46e30c0a64d520827cc4f88385b0465d2c4a58b9d49f9f1a32ae4a9592abc453
                                              • Opcode Fuzzy Hash: 038caf03561754574e7b1b78cf16dded07482a9955e384323bbd5a854a073eac
                                              • Instruction Fuzzy Hash: DA03917A600514EFDB568F94D948E55BBB2FF4C314B0A80D8E6099F272C736E8A1EF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4d7fb7cc578c7a0dcae6d836c6f0faf78c32b2a74e75d2d6e55c093f4f1c3a8
                                              • Instruction ID: edeff0f66ae4e02fe510df3670226a4a980dcebee59cc866da0128191f24bf44
                                              • Opcode Fuzzy Hash: a4d7fb7cc578c7a0dcae6d836c6f0faf78c32b2a74e75d2d6e55c093f4f1c3a8
                                              • Instruction Fuzzy Hash: 3ED16DB0E00209DFCB14DFA8C484AAEBBF6FF98314F15855AE515EB351DB34A946CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 993350847ef690d1ce5cc8535a40490ad31921052ff4d78fd8817b4fe4deeb36
                                              • Instruction ID: 3a71e2cc225d1a89f1a664b1b593a558f28f079ce0dab85658b50779510b939f
                                              • Opcode Fuzzy Hash: 993350847ef690d1ce5cc8535a40490ad31921052ff4d78fd8817b4fe4deeb36
                                              • Instruction Fuzzy Hash: CB12E3B14117468BE330EF65EDD81C87BA1F741328F906209DA633AAD9D7B811EACF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b4c07867bbc28f94fc6ce662f0b324ca8e6e291e20b3ead4de82cc125654d36
                                              • Instruction ID: 9bcfaf4cab807580d9f810a459c49a52805ec65fb83d0ab7bfb7a5d739592113
                                              • Opcode Fuzzy Hash: 3b4c07867bbc28f94fc6ce662f0b324ca8e6e291e20b3ead4de82cc125654d36
                                              • Instruction Fuzzy Hash: E0B14EB0E00209CFDB54DFA9C8857DEBBF2AF98718F148129D415EB394EB749849CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b987682a4b284f45a90faa1b21ed477556bc5f7aee4c165f616cd31f4c79ad2b
                                              • Instruction ID: 8e49293a753c02581289e9a17a292814af6992be03be12de54fb8f13ab9dcf7f
                                              • Opcode Fuzzy Hash: b987682a4b284f45a90faa1b21ed477556bc5f7aee4c165f616cd31f4c79ad2b
                                              • Instruction Fuzzy Hash: 92B138B0E0020DCFDB50DFA9D88979EBBF2AF98354F148129E415E7694EB749846CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b53f155a0bb5fd6f1acaa6bf5fa7e6ede3d3e17f3454895756d04bba3d09147
                                              • Instruction ID: b7f12c48b4ee4c07c952e3d63e5ef15e4047d3ddeda0e3f9414cbb0df001aa63
                                              • Opcode Fuzzy Hash: 6b53f155a0bb5fd6f1acaa6bf5fa7e6ede3d3e17f3454895756d04bba3d09147
                                              • Instruction Fuzzy Hash: 2AA17E32E0021ACFCF15DFA5CC445DEBBBAFF99300B15856AE905AB221DB71A955CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.228191841.0000000007880000.00000040.00000001.sdmp, Offset: 07880000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c55a20ba52439338525ed6664329b66eb2dd0e6861c6337b7c5d152639ec243a
                                              • Instruction ID: 1abae0f7bce6cd5d74828834c2f76d3fce1648b8005995defbf366062d7262f3
                                              • Opcode Fuzzy Hash: c55a20ba52439338525ed6664329b66eb2dd0e6861c6337b7c5d152639ec243a
                                              • Instruction Fuzzy Hash: 25915DB0E00209CFDB50EFA9C9857EDBBF2AF98318F248129E415E7354DB749849CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222745569.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c4b4fdec2552d4ee49a539e7a6aa3ce3d3a471bc4a81449e9e23c1a81c88dd4
                                              • Instruction ID: 79a879e85361255afa20b38d9a9d111d954eb4763d052b5ec48b37a3888a1dbd
                                              • Opcode Fuzzy Hash: 6c4b4fdec2552d4ee49a539e7a6aa3ce3d3a471bc4a81449e9e23c1a81c88dd4
                                              • Instruction Fuzzy Hash: FDC147B18117468BD320EF65EDD81C97BA1FB85328F506209D6633BAD8D7B810EACF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.222121016.0000000000DC2000.00000002.00020000.sdmp, Offset: 00DC0000, based on PE: true
                                              • Associated: 00000000.00000002.222112984.0000000000DC0000.00000002.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.222193755.0000000000E44000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c800b51919c99dbe19ef9214eb22001ec03e084cd03a3d570619e42e355f511f
                                              • Instruction ID: d2c279f137fe934615c359594fe4ba48c4b19fca2c690ae127ab2fe99d6f8615
                                              • Opcode Fuzzy Hash: c800b51919c99dbe19ef9214eb22001ec03e084cd03a3d570619e42e355f511f
                                              • Instruction Fuzzy Hash: BF71916144E3C29FD7138B3498756D1BFB0AF5721872E48DFC0C28F063E56A259AD722
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 02D84216
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: c8cb56450f7e16fff773b97df60df29ea88e360a6b17f8ca60e8a444636768b7
                                              • Instruction ID: 7cc0b89b10aac975887309d310be4ec447e33c7010bc12ed92cd125fe51ae2e8
                                              • Opcode Fuzzy Hash: c8cb56450f7e16fff773b97df60df29ea88e360a6b17f8ca60e8a444636768b7
                                              • Instruction Fuzzy Hash: 5911FDB6D002098ECB10DFAAC944BDEBBF4EB88224F15845AD429B7700C378A546CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1b4620ed27709634a0a8436601ea262dd0e9d9c9bf99efdab2504dc0b16e2e7
                                              • Instruction ID: 595c95072fc7a5f175fffe0e88c2190728a8e924a4c0de3bc79038639043cc1d
                                              • Opcode Fuzzy Hash: f1b4620ed27709634a0a8436601ea262dd0e9d9c9bf99efdab2504dc0b16e2e7
                                              • Instruction Fuzzy Hash: C56121B1C04249AFCF02CFA9D980ADDBFB1FF49314F65819AE808AB221D7359855CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474203489.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20016deeff57819ac98c680fa6d0b90d5d0ef236a4022a282dc6759f8bc367a0
                                              • Instruction ID: 456ad6d66eb1c240b2530b90c02b9b9948bdca86c9caafbc7db9f62cffadf754
                                              • Opcode Fuzzy Hash: 20016deeff57819ac98c680fa6d0b90d5d0ef236a4022a282dc6759f8bc367a0
                                              • Instruction Fuzzy Hash: 50412476E043458FCB108FA9C80429EBFF5AF8A214F19856BD504AB751DB38A845CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D852A2
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: ab4f71541f7c38d682d1d165cbd51bd0808da4e28820064a3ac6e4e2900eebf5
                                              • Instruction ID: dcffa81bee4943d811e130ff4e8ae3fae4f0e15c08df96212aa52fdf4500b75a
                                              • Opcode Fuzzy Hash: ab4f71541f7c38d682d1d165cbd51bd0808da4e28820064a3ac6e4e2900eebf5
                                              • Instruction Fuzzy Hash: D251E0B0D003089FDB14DF99D884ADEBBB5FF88314F65812AE819AB310DB75A845CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 02D87D01
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 7ea71e33a93720a7e5b6a18e7b778f30bae3024dcbb802fc43bc5375a0de6deb
                                              • Instruction ID: c1a116899d0defa1a20b3ed0f13cc7c66b146aa67ddb68fa7a4a45919289640a
                                              • Opcode Fuzzy Hash: 7ea71e33a93720a7e5b6a18e7b778f30bae3024dcbb802fc43bc5375a0de6deb
                                              • Instruction Fuzzy Hash: DE412BB9A00205CFDB14DF99C448AAAFBF5FF89314F258499E519AB361D734AC41CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 02D8C442
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: c6f85f41d700b5783e85ed6222aef62c82cd7bf465492b97486c08e0c48ea072
                                              • Instruction ID: 8add56cce31e9717d6fcab4285b9840b121af82c037ad41e76db87a8afc904b3
                                              • Opcode Fuzzy Hash: c6f85f41d700b5783e85ed6222aef62c82cd7bf465492b97486c08e0c48ea072
                                              • Instruction Fuzzy Hash: C331D0B18153498FCB10EFB9D50479E7FF4EB05318F14406AE448AB342C7796945CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D86DFF
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 3b710a3f549284f68ea342d0792b1599029b45e1673a751ae2532c9279fd9362
                                              • Instruction ID: b939ba8b0981e7b07c46634b74054eb3d49d7378d39466b3e82095f9b30a813d
                                              • Opcode Fuzzy Hash: 3b710a3f549284f68ea342d0792b1599029b45e1673a751ae2532c9279fd9362
                                              • Instruction Fuzzy Hash: 3921E2B5D002489FDB10CFA9D984AEEBBF8FB48324F14805AE914A7310D378A955DFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D86DFF
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 429ad6aefca43040a0d1f3c81ae3d60f6a75e26232eb853b4e66bc8dbafecba5
                                              • Instruction ID: 3ea2f0cf6bf533c6323e9cd0f155cb1acc290fa83aa0d413b80e7ccc814413b6
                                              • Opcode Fuzzy Hash: 429ad6aefca43040a0d1f3c81ae3d60f6a75e26232eb853b4e66bc8dbafecba5
                                              • Instruction Fuzzy Hash: 3921D3B5D012089FDB10DFAAD984ADEBBF8FB48324F14841AE914A7310D379A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?), ref: 014CEC2A
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474203489.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 1d8c627f29b7b020348e854c4184d34845304105de60e01d0c254d2acea710aa
                                              • Instruction ID: 8a3a27172aa95a33d88b65b8163dda125393775f9a1de785f9a84c023661c44b
                                              • Opcode Fuzzy Hash: 1d8c627f29b7b020348e854c4184d34845304105de60e01d0c254d2acea710aa
                                              • Instruction Fuzzy Hash: 4E1133BA8002088FDB10CF9AC844AEEFFF4EB88724F10841EE525B7210C379A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,014C514A), ref: 014C5237
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474203489.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: c42657dc13f5a3b683a7fc7c1970794928439cc7aef7355dcab09e2e929ad244
                                              • Instruction ID: 64af27b8e80c26a2ca6a54df2549bd779da17088d006ee663fa929cbdab0ccc7
                                              • Opcode Fuzzy Hash: c42657dc13f5a3b683a7fc7c1970794928439cc7aef7355dcab09e2e929ad244
                                              • Instruction Fuzzy Hash: 641133B5D006199BCB10DF9AC844B9EFBF4EB48224F11812AE818A7200D778A945CFE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?), ref: 014CEC2A
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474203489.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 7d44cd3aad93944571a16caaa6b517afabd5d55ec314a4aeaaef35295a124157
                                              • Instruction ID: 24ce934ec6729a1bd660d0d6225762e20869976d179367fe704402a22c5e8634
                                              • Opcode Fuzzy Hash: 7d44cd3aad93944571a16caaa6b517afabd5d55ec314a4aeaaef35295a124157
                                              • Instruction Fuzzy Hash: C41136B69002088FDB10CF9AC844AEEBBF4EB48314F10841EE515B7310C374A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 02D8C442
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: b07bc8fe20769d7d12080578d9b7ef4d98dd5696e76a8140853f895bd56966f6
                                              • Instruction ID: 7cd5e37b256e64f08e048ae8d1e5f6af5b3643694d25ddeac95c5bb8369004b0
                                              • Opcode Fuzzy Hash: b07bc8fe20769d7d12080578d9b7ef4d98dd5696e76a8140853f895bd56966f6
                                              • Instruction Fuzzy Hash: 4F119DB1911309CFCB10EFAAD5087DEBBF4EB49318F20842AD405AB700C739A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 02D84216
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.474351882.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 66e0254f0aca9463c054b15de4713f31fb3ff4ff8a68a70e1dee0602d5b5441f
                                              • Instruction ID: bb0caf14f69df5fbb8e7700af845704505ae1816b86f4c69e5556f8017f53e1f
                                              • Opcode Fuzzy Hash: 66e0254f0aca9463c054b15de4713f31fb3ff4ff8a68a70e1dee0602d5b5441f
                                              • Instruction Fuzzy Hash: 761123B1D002498BCB10DF9AC444BDEFBF4EB89224F11801AD829B7300C374A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.473772321.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80dc11b98e167ebedabd696bbf7dd344e8860e4b6d7034ef62f4dcab78777337
                                              • Instruction ID: 272847b05acab512687e492303fb9af1fa8c397394a9d9e67cd5c190f2fc6a4b
                                              • Opcode Fuzzy Hash: 80dc11b98e167ebedabd696bbf7dd344e8860e4b6d7034ef62f4dcab78777337
                                              • Instruction Fuzzy Hash: FB2133B1504200EFDF19DF54E9C0F67BF65FB88328F248568E9054B686C336E805CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.473799685.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc1e6312531932df6925d79657a9b31a07e2a01090d2a44d365cfdba34760b78
                                              • Instruction ID: ae3b9d0ec300260ce38cbce2ffe31494d613af53f9de71848d2398685cad8ba2
                                              • Opcode Fuzzy Hash: dc1e6312531932df6925d79657a9b31a07e2a01090d2a44d365cfdba34760b78
                                              • Instruction Fuzzy Hash: A2212571604600DFCF19DF94E8C8B26BFA5FB84354F28C56DE9094B246C73AD846CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.473799685.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c184af9cb7b09e4a52388bf6131f7dbd1fbc23914b1250d6ced9b5a03041d14e
                                              • Instruction ID: 994bbcd34a60d039b8fd3bf0fd370320e62e8bbc3633131f8774b8783fbc5f18
                                              • Opcode Fuzzy Hash: c184af9cb7b09e4a52388bf6131f7dbd1fbc23914b1250d6ced9b5a03041d14e
                                              • Instruction Fuzzy Hash: C721CF754097808FCB07CF64D994B15BFB1EB46214F28C1EAD8498B667C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.473772321.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                              • Instruction ID: 7d6ce40652fa456b42ed4dd1fea772bd795c8e94c5392e72ef4c5ec85a960965
                                              • Opcode Fuzzy Hash: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                              • Instruction Fuzzy Hash: 5611BE76404280CFDF16CF54E9C4B26BF72FB84324F2886A9D8050B657C33AD45ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions