Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report AWB-18267638920511_ES.exe

Overview

General Information

Sample Name:AWB-18267638920511_ES.exe
Analysis ID:323615
MD5:8b7f30a440fcc0b4b4ea690ecbfff43e
SHA1:b3c91697ef02a5d357849e6358d825fdab37a69e
SHA256:b437404019d38740807ee024fce54ac262690c6bcc59e893b7d8ca4392e7465a
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • AWB-18267638920511_ES.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\AWB-18267638920511_ES.exe' MD5: 8B7F30A440FCC0B4B4EA690ECBFFF43E)
    • schtasks.exe (PID: 5944 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "RrY9j3ju7QQ", "URL: ": "http://51Rg6ceg1VdsK.net", "To: ": "winwinner151@gmail.com", "ByHost: ": "mail.talleresgenerauto.es:587", "Password: ": "S2vtG9cNKv", "From: ": "chapaypintura@talleresgenerauto.es"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.AWB-18267638920511_ES.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\AWB-18267638920511_ES.exe' , ParentImage: C:\Users\user\Desktop\AWB-18267638920511_ES.exe, ParentProcessId: 3984, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp', ProcessId: 5944

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: AWB-18267638920511_ES.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\tGjZeZC.exeAvira: detection malicious, Label: TR/AD.AgentTesla.bldep
              Found malware configurationShow sources
              Source: AWB-18267638920511_ES.exe.3728.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "RrY9j3ju7QQ", "URL: ": "http://51Rg6ceg1VdsK.net", "To: ": "winwinner151@gmail.com", "ByHost: ": "mail.talleresgenerauto.es:587", "Password: ": "S2vtG9cNKv", "From: ": "chapaypintura@talleresgenerauto.es"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\tGjZeZC.exeReversingLabs: Detection: 75%
              Multi AV Scanner detection for submitted fileShow sources
              Source: AWB-18267638920511_ES.exeReversingLabs: Detection: 75%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\tGjZeZC.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: AWB-18267638920511_ES.exeJoe Sandbox ML: detected
              Source: 3.2.AWB-18267638920511_ES.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 4x nop then jmp 078878B5h
              Source: global trafficTCP traffic: 192.168.2.3:49740 -> 217.61.130.138:587
              Source: Joe Sandbox ViewASN Name: COMVIVE-ASSeville-SpainES COMVIVE-ASSeville-SpainES
              Source: global trafficTCP traffic: 192.168.2.3:49740 -> 217.61.130.138:587
              Source: unknownDNS traffic detected: queries for: mail.talleresgenerauto.es
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.475259720.0000000002EFB000.00000004.00000001.sdmpString found in binary or memory: http://51Rg6ceg1VdsK.net
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://LVvtpY.com
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480536913.0000000006835000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpString found in binary or memory: http://mail.talleresgenerauto.es
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpString found in binary or memory: http://talleresgenerauto.es
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_00DC8E4C
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0169C584
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0169E940
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0169E950
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_07886ADC
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078827F0
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_07880548
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_07881160
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_07880890
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078A6CD1
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_078A3049
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_00A98E4C
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014CC580
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C0668
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C54E8
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C1930
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014CD800
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_014C1880
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D847A0
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D84790
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D8D830
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenoRRazZkMXYaGjuLntkWympaWRqKPbhkCKJI.exe4 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamel0 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.228122371.0000000007780000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.228736476.0000000009F10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenoRRazZkMXYaGjuLntkWympaWRqKPbhkCKJI.exe4 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000000.221415344.0000000000B14000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamel0 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474027449.00000000012D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.471074944.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474149731.00000000014A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exeBinary or memory string: OriginalFilenamel0 vs AWB-18267638920511_ES.exe
              Source: AWB-18267638920511_ES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: tGjZeZC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@2/1
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile created: C:\Users\user\AppData\Roaming\tGjZeZC.exeJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeMutant created: \Sessions\1\BaseNamedObjects\RgLvAtUuBe
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA7E.tmpJump to behavior
              Source: AWB-18267638920511_ES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: AWB-18267638920511_ES.exeReversingLabs: Detection: 75%
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile read: C:\Users\user\Desktop\AWB-18267638920511_ES.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe 'C:\Users\user\Desktop\AWB-18267638920511_ES.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe {path}
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe {path}
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: AWB-18267638920511_ES.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: AWB-18267638920511_ES.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0788AFAF push dword ptr [ebx+ebp-75h]; iretd
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 0_2_0788B0C5 push FFFFFF8Bh; iretd
              Source: initial sampleStatic PE information: section name: .text entropy: 7.65240635484
              Source: initial sampleStatic PE information: section name: .text entropy: 7.65240635484
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile created: C:\Users\user\AppData\Roaming\tGjZeZC.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3984, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D841AB rdtsc
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 528
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 3984
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 911
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWindow / User API: threadDelayed 8947
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 5648Thread sleep time: -8301034833169293s >= -30000s
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 2592Thread sleep time: -41500s >= -30000s
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 4812Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 3412Thread sleep time: -14757395258967632s >= -30000s
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 6012Thread sleep count: 911 > 30
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exe TID: 6012Thread sleep count: 8947 > 30
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.222592845.00000000014C7000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.222592845.00000000014C7000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMNK_8XREWin32_VideoControllerXNZ5D6VYVideoController120060621000000.000000-00002089649display.infMSBDABO4KPY2UPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsSL2GOE6C
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: AWB-18267638920511_ES.exe, 00000000.00000002.223672472.0000000003599000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.480001781.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeCode function: 3_2_02D841AB rdtsc
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeMemory written: C:\Users\user\Desktop\AWB-18267638920511_ES.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeProcess created: C:\Users\user\Desktop\AWB-18267638920511_ES.exe {path}
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: AWB-18267638920511_ES.exe, 00000003.00000002.474250296.0000000001860000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Users\user\Desktop\AWB-18267638920511_ES.exe VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Users\user\Desktop\AWB-18267638920511_ES.exe VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.224015893.000000000449F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3728, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: 3.2.AWB-18267638920511_ES.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\Desktop\AWB-18267638920511_ES.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: Yara matchFile source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3728, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.224015893.000000000449F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3728, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AWB-18267638920511_ES.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: 3.2.AWB-18267638920511_ES.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation311Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion24Credentials in Registry1Security Software Discovery431Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion24SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 323615 Sample: AWB-18267638920511_ES.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 9 other signatures 2->35 7 AWB-18267638920511_ES.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\tGjZeZC.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\Temp\tmpA7E.tmp, XML 7->21 dropped 23 C:\Users\...\AWB-18267638920511_ES.exe.log, ASCII 7->23 dropped 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Injects a PE file into a foreign processes 7->43 11 AWB-18267638920511_ES.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 talleresgenerauto.es 217.61.130.138, 49740, 587 COMVIVE-ASSeville-SpainES Spain 11->25 27 mail.talleresgenerauto.es 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              AWB-18267638920511_ES.exe76%ReversingLabsByteCode-MSIL.Infostealer.Stelega
              AWB-18267638920511_ES.exe100%AviraTR/AD.AgentTesla.bldep
              AWB-18267638920511_ES.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\tGjZeZC.exe100%AviraTR/AD.AgentTesla.bldep
              C:\Users\user\AppData\Roaming\tGjZeZC.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\tGjZeZC.exe76%ReversingLabsByteCode-MSIL.Infostealer.Stelega

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.2.AWB-18267638920511_ES.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://LVvtpY.com0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://talleresgenerauto.es0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://51Rg6ceg1VdsK.net0%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://mail.talleresgenerauto.es0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              talleresgenerauto.es
              		217.61.130.138
              		truetrue
                		unknown
                mail.talleresgenerauto.es
                		unknown
                		unknowntrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.apache.org/licenses/LICENSE-2.0AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                        		high
                        http://DynDns.comDynDNSAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://sectigo.com/CPS0AWB-18267638920511_ES.exe, 00000003.00000002.480483982.00000000067F0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/?AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://LVvtpY.comAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.tiro.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://talleresgenerauto.esAWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comlAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.orgGETMozilla/5.0AWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://51Rg6ceg1VdsK.netAWB-18267638920511_ES.exe, 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.475259720.0000000002EFB000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.typography.netDAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                  		high
                                  https://api.telegram.org/bot%telegramapi%/AWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8AWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fonts.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://mail.talleresgenerauto.esAWB-18267638920511_ES.exe, 00000003.00000002.475508407.0000000002F30000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAWB-18267638920511_ES.exe, 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sakkal.comAWB-18267638920511_ES.exe, 00000000.00000002.227857134.00000000072C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xAWB-18267638920511_ES.exe, 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipAWB-18267638920511_ES.exe, 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, AWB-18267638920511_ES.exe, 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            217.61.130.138
                                            		unknownSpain
                                            		39020COMVIVE-ASSeville-SpainEStrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:323615
                                            Start date:27.11.2020
                                            Start time:08:29:16
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 7m 11s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:AWB-18267638920511_ES.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:23
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@6/3@2/1
                                            EGA Information:Failed
                                            HDC Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 95%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.147.198.201, 104.43.139.144, 51.104.139.180, 92.122.144.200, 20.54.26.129, 205.185.216.10, 205.185.216.42, 92.122.213.194, 92.122.213.247
                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323615/sample/AWB-18267638920511_ES.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:30:09API Interceptor789x Sleep call for process: AWB-18267638920511_ES.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            COMVIVE-ASSeville-SpainEScUnk2St74R.exeGet hashmaliciousBrowse
                                            • 217.61.130.106
                                            8UZQ3kv5fg.exeGet hashmaliciousBrowse
                                            • 217.61.130.106
                                            http://8068e-4812f.preview.sitejet.io/Get hashmaliciousBrowse
                                            • 217.61.130.111
                                            https://niw.academy/New/DocSigning.htmGet hashmaliciousBrowse
                                            • 185.50.196.212
                                            ATTACHMENT_092020_818717005.docGet hashmaliciousBrowse
                                            • 185.50.196.212
                                            DOC-9576850.docGet hashmaliciousBrowse
                                            • 217.61.130.34
                                            Soumissions 893963.docGet hashmaliciousBrowse
                                            • 217.61.130.34
                                            https://1349fk.com/admin/55rEgXThCrasXK9fnSPGet hashmaliciousBrowse
                                            • 217.61.130.34
                                            http://localesfavoritos.com/wp-admin/Document/Get hashmaliciousBrowse
                                            • 217.61.130.34
                                            https://portondeguadarrama.com/jss/ODGet hashmaliciousBrowse
                                            • 217.61.130.111
                                            script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exeGet hashmaliciousBrowse
                                            • 185.50.197.168
                                            SOC report 07 22 2020.docGet hashmaliciousBrowse
                                            • 185.50.196.201
                                            Form - Jul 22, 2020.docGet hashmaliciousBrowse
                                            • 185.50.196.201
                                            Form - Jul 22, 2020.docGet hashmaliciousBrowse
                                            • 185.50.196.201
                                            https://tutoriapro.com/storage/FILE/2f1rhht/Get hashmaliciousBrowse
                                            • 185.50.196.201
                                            https://contabilidaddecostes.com/todwll/?email=cynthia.hng@vodafone.comGet hashmaliciousBrowse
                                            • 185.50.199.194

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB-18267638920511_ES.exe.log
                                            Process:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1393
                                            Entropy (8bit):5.336387678668898
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84F0:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz4
                                            MD5:918F04BB59A8331CBEAD9305F6A98022
                                            SHA1:DC143AF1885A9FD5964AE0CD2C0C9248459D69FA
                                            SHA-256:89CAD35E7AB95E575A209A676E91D005B1E1342D172F9559CA47D9617A9DE6DB
                                            SHA-512:B31C671F3CAAE013679DF07D191AAC2902EC052313601715C1FA44D63925931F610089E02E5D405A5ED337809ED227B5C0A2B88C9F06234DA4EBA27B1446DD7A
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Temp\tmpA7E.tmp
                                            Process:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1640
                                            Entropy (8bit):5.192867902772148
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBDCtn:cbh47TlNQ//rydbz9I3YODOLNdq3xk
                                            MD5:AD32B7CBBF8CF25C353C52DDBC4ED48D
                                            SHA1:E5AA7D62DD5DE428785FBB74D993FAEB4346C67A
                                            SHA-256:3B4550E354423B8A098BCC6BA56FDB91825850BBE4B05809A9E56C386858F1C7
                                            SHA-512:A54D15894E3E82E6FF28D836FE953047E841DE287EA3B6C8B5907AF100C4EB9DA22D3E6E0309B1BB19FA87FBBAB5946AD395469409A5C8D7FCA2703BC2E9B4CF
                                            Malicious:true
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Roaming\tGjZeZC.exe
                                            Process:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):531456
                                            Entropy (8bit):7.6437799109521265
                                            Encrypted:false
                                            SSDEEP:12288:LfA7j4whhjZADjbOlv611wmRDa+Ze9jKxnnUOvYCGb7aOt8LFXDQI5jwmGfTgm:Lf4hjZUj0vzMDadmxn9vYLbB8Nk
                                            MD5:8B7F30A440FCC0B4B4EA690ECBFFF43E
                                            SHA1:B3C91697EF02A5D357849E6358D825FDAB37A69E
                                            SHA-256:B437404019D38740807EE024FCE54AC262690C6BCC59E893B7D8CA4392E7465A
                                            SHA-512:EAA52E8F3AF0F95B9E3AA54A4F4BBD259F926C400748A5F013EC24A51C3246911BF21DA46C3EC3BDDF42D45BBA382DFEA2052BF43BE94CA88A752D7E6BD3B41C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 76%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.._............................>0... ...@....@.. ....................................@................................../..W....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ 0......H.......P....5..............X`...........................................*".(.....*Vr...p.....r...p.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>...(g...(.....*:..(....(i....*...(....(T...(!...(U.....(......(A....*...(.......{C....(&.....(....o$.....{....(m....*....(.......(.......(.......{$....(.

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.6437799109521265
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:AWB-18267638920511_ES.exe
                                            File size:531456
                                            MD5:8b7f30a440fcc0b4b4ea690ecbfff43e
                                            SHA1:b3c91697ef02a5d357849e6358d825fdab37a69e
                                            SHA256:b437404019d38740807ee024fce54ac262690c6bcc59e893b7d8ca4392e7465a
                                            SHA512:eaa52e8f3af0f95b9e3aa54a4f4bbd259f926c400748a5f013ec24a51c3246911bf21da46c3ec3bddf42d45bba382dfea2052bf43be94ca88a752d7e6bd3b41c
                                            SSDEEP:12288:LfA7j4whhjZADjbOlv611wmRDa+Ze9jKxnnUOvYCGb7aOt8LFXDQI5jwmGfTgm:Lf4hjZUj0vzMDadmxn9vYLbB8Nk
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.._............................>0... ...@....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x48303e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x5FBE0767 [Wed Nov 25 07:27:35 2020 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x82fe40x57.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x590.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x810440x81200False0.78805474044data7.65240635484IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x840000x5900x600False0.414713541667data4.03754982361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x860000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x840a00x304data
                                            RT_MANIFEST0x843a40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2019
                                            Assembly Version1.0.0.0
                                            InternalNamel.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNameSnakeGame
                                            ProductVersion1.0.0.0
                                            FileDescriptionSnakeGame
                                            OriginalFilenamel.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 27, 2020 08:31:51.072638988 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.125221014 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.125420094 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.319319963 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.319869041 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.372632027 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.373213053 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.430037022 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.483082056 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.505405903 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.598007917 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604352951 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604420900 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604475021 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604501963 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.604682922 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.604738951 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.606837034 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.654958963 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.658413887 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.710905075 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.711494923 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:51.764344931 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:51.972313881 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.025181055 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.027930975 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.083364964 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.084773064 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.145201921 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.146691084 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.199361086 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.199779034 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.292516947 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.300750971 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.301438093 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.353976011 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.355387926 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.355523109 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.356446981 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.357044935 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:31:52.407833099 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.407855988 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.408795118 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.409231901 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.417999029 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:31:52.467456102 CET49740587192.168.2.3217.61.130.138
                                            Nov 27, 2020 08:32:07.520045042 CET58749740217.61.130.138192.168.2.3
                                            Nov 27, 2020 08:32:07.520199060 CET49740587192.168.2.3217.61.130.138

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 27, 2020 08:30:00.449664116 CET6010053192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:00.485167027 CET53601008.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:01.289424896 CET5319553192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:01.324779987 CET53531958.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:01.946873903 CET5014153192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:01.982410908 CET53501418.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:02.913254976 CET5302353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:02.940493107 CET53530238.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:03.732403994 CET4956353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:03.767829895 CET53495638.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:04.507401943 CET5135253192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:04.534513950 CET53513528.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:06.451210022 CET5934953192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:06.478133917 CET53593498.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:07.156336069 CET5708453192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:07.183568001 CET53570848.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:07.821103096 CET5882353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:07.848185062 CET53588238.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:29.337064981 CET5756853192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:29.364278078 CET53575688.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:32.922466040 CET5054053192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:32.959696054 CET53505408.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:46.489939928 CET5436653192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:46.542834044 CET53543668.8.8.8192.168.2.3
                                            Nov 27, 2020 08:30:49.497139931 CET5303453192.168.2.38.8.8.8
                                            Nov 27, 2020 08:30:49.524254084 CET53530348.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:03.385047913 CET5776253192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:03.412233114 CET53577628.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:07.441884995 CET5543553192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:07.478748083 CET53554358.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:38.730645895 CET5071353192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:38.757855892 CET53507138.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:40.019184113 CET5613253192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:40.054466009 CET53561328.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:50.802264929 CET5898753192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:50.865437984 CET53589878.8.8.8192.168.2.3
                                            Nov 27, 2020 08:31:50.888202906 CET5657953192.168.2.38.8.8.8
                                            Nov 27, 2020 08:31:50.977401972 CET53565798.8.8.8192.168.2.3

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 27, 2020 08:31:50.802264929 CET192.168.2.38.8.8.80x4af0Standard query (0)mail.talleresgenerauto.esA (IP address)IN (0x0001)
                                            Nov 27, 2020 08:31:50.888202906 CET192.168.2.38.8.8.80x6d21Standard query (0)mail.talleresgenerauto.esA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 27, 2020 08:31:50.865437984 CET8.8.8.8192.168.2.30x4af0No error (0)mail.talleresgenerauto.estalleresgenerauto.esCNAME (Canonical name)IN (0x0001)
                                            Nov 27, 2020 08:31:50.865437984 CET8.8.8.8192.168.2.30x4af0No error (0)talleresgenerauto.es217.61.130.138A (IP address)IN (0x0001)
                                            Nov 27, 2020 08:31:50.977401972 CET8.8.8.8192.168.2.30x6d21No error (0)mail.talleresgenerauto.estalleresgenerauto.esCNAME (Canonical name)IN (0x0001)
                                            Nov 27, 2020 08:31:50.977401972 CET8.8.8.8192.168.2.30x6d21No error (0)talleresgenerauto.es217.61.130.138A (IP address)IN (0x0001)

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Nov 27, 2020 08:31:51.319319963 CET58749740217.61.130.138192.168.2.3220-pantallazoazul.zonasprivadasdns.com ESMTP Exim 4.93 #2 Fri, 27 Nov 2020 08:31:51 +0100
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            Nov 27, 2020 08:31:51.319869041 CET49740587192.168.2.3217.61.130.138EHLO 745773
                                            Nov 27, 2020 08:31:51.372632027 CET58749740217.61.130.138192.168.2.3250-pantallazoazul.zonasprivadasdns.com Hello 745773 [84.17.52.25]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            Nov 27, 2020 08:31:51.373213053 CET49740587192.168.2.3217.61.130.138STARTTLS
                                            Nov 27, 2020 08:31:51.430037022 CET58749740217.61.130.138192.168.2.3220 TLS go ahead

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: AWB-18267638920511_ES.exe PID: 3984 Parent PID: 5724

                                            General

                                            Start time:08:30:04
                                            Start date:27/11/2020
                                            Path:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\AWB-18267638920511_ES.exe'
                                            Imagebase:0xdc0000
                                            File size:531456 bytes
                                            MD5 hash:8B7F30A440FCC0B4B4EA690ECBFFF43E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.223775772.00000000042A4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.224015893.000000000449F000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.223047556.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Analysis Process: schtasks.exe PID: 5944 Parent PID: 3984

                                            General

                                            Start time:08:30:11
                                            Start date:27/11/2020
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tGjZeZC' /XML 'C:\Users\user\AppData\Local\Temp\tmpA7E.tmp'
                                            Imagebase:0x11c0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6140 Parent PID: 5944

                                            General

                                            Start time:08:30:11
                                            Start date:27/11/2020
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6b2800000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: AWB-18267638920511_ES.exe PID: 3728 Parent PID: 3984

                                            General

                                            Start time:08:30:12
                                            Start date:27/11/2020
                                            Path:C:\Users\user\Desktop\AWB-18267638920511_ES.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0xa90000
                                            File size:531456 bytes
                                            MD5 hash:8B7F30A440FCC0B4B4EA690ECBFFF43E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.470115094.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.474541903.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.475012814.0000000002EA4000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Disassembly

                                            Code Analysis

                                            Reset < >