Loading ...

Play interactive tourEdit tour

Analysis Report ENQUIRY 050420217274.exe

Overview

General Information

Sample Name:ENQUIRY 050420217274.exe
Analysis ID:404242
MD5:cf4fbd7fa545026f738a9b49730010e0
SHA1:93aaa89acdda9b49c501d901e29b17e8e8d56c75
SHA256:d4a486d6eb6ff402162a440e49cb53777c2a3a0e98abb04016e189cd445676a2
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ENQUIRY 050420217274.exe (PID: 3348 cmdline: 'C:\Users\user\Desktop\ENQUIRY 050420217274.exe' MD5: CF4FBD7FA545026F738A9B49730010E0)
    • schtasks.exe (PID: 1004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cZltdo' /XML 'C:\Users\user\AppData\Local\Temp\tmp9220.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • jNnIJrO.exe (PID: 3476 cmdline: 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe' MD5: CF4FBD7FA545026F738A9B49730010E0)
    • schtasks.exe (PID: 5680 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cZltdo' /XML 'C:\Users\user\AppData\Local\Temp\tmp30B1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • jNnIJrO.exe (PID: 2344 cmdline: {path} MD5: CF4FBD7FA545026F738A9B49730010E0)
    • jNnIJrO.exe (PID: 5500 cmdline: {path} MD5: CF4FBD7FA545026F738A9B49730010E0)
  • jNnIJrO.exe (PID: 5452 cmdline: 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe' MD5: CF4FBD7FA545026F738A9B49730010E0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "salama@sharpn.comtT%r.=GXU=,kmail.sharpn.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.479176115.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.337141324.0000000003DC9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.494432601.0000000002B24000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.491848296.0000000002891000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000012.00000002.479218404.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.ENQUIRY 050420217274.exe.456f7d8.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.ENQUIRY 050420217274.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                13.2.jNnIJrO.exe.3dff960.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  18.2.jNnIJrO.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    13.2.jNnIJrO.exe.3f9f7d8.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.ENQUIRY 050420217274.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "salama@sharpn.comtT%r.=GXU=,kmail.sharpn.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\cZltdo.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeReversingLabs: Detection: 21%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ENQUIRY 050420217274.exeReversingLabs: Detection: 21%
                      Source: 3.2.ENQUIRY 050420217274.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.jNnIJrO.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: ENQUIRY 050420217274.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ENQUIRY 050420217274.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49705 -> 192.185.95.74:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49706 -> 192.185.95.74:587
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: unknownDNS traffic detected: queries for: mail.sharpn.com
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.491848296.0000000002891000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.490723046.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: jNnIJrO.exe, 00000012.00000002.490723046.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: jNnIJrO.exe, 00000012.00000002.490723046.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://YpcvER.com
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.494992635.0000000002B72000.00000004.00000001.sdmpString found in binary or memory: http://mail.sharpn.com
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.235666947.0000000003391000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.334369508.0000000002DC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.494992635.0000000002B72000.00000004.00000001.sdmpString found in binary or memory: http://sharpn.com
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.240872663.0000000006380000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.341188583.0000000005CA0000.00000002.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.344641962.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.491848296.0000000002891000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: jNnIJrO.exe, 00000012.00000002.490723046.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.494722839.0000000002B50000.00000004.00000001.sdmp, ENQUIRY 050420217274.exe, 00000003.00000002.494796953.0000000002B5E000.00000004.00000001.sdmp, ENQUIRY 050420217274.exe, 00000003.00000003.450719560.0000000000A14000.00000004.00000001.sdmpString found in binary or memory: https://gsEyIHJd6j5pGI.net
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.236883702.0000000004399000.00000004.00000001.sdmp, ENQUIRY 050420217274.exe, 00000003.00000002.479176115.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 0000000D.00000002.337141324.0000000003DC9000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.479218404.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: jNnIJrO.exe, 00000012.00000002.490723046.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\ENQUIRY 050420217274.exeJump to behavior
                      Source: jNnIJrO.exe, 0000000D.00000002.333043207.00000000010D8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: ENQUIRY 050420217274.exe
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_00F473370_2_00F47337
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_01B7E4D00_2_01B7E4D0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_01B7E4C20_2_01B7E4C2
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_01B7C43C0_2_01B7C43C
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E26D90_2_078E26D9
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E5ED00_2_078E5ED0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E36100_2_078E3610
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E7DBB0_2_078E7DBB
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E04AB0_2_078E04AB
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E1CBB0_2_078E1CBB
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EA4400_2_078EA440
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E69E00_2_078E69E0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E10200_2_078E1020
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E00400_2_078E0040
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EA8580_2_078EA858
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E0F8A0_2_078E0F8A
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E37280_2_078E3728
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E37550_2_078E3755
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E16C80_2_078E16C8
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E36C40_2_078E36C4
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EBEC00_2_078EBEC0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E36F40_2_078E36F4
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EB62D0_2_078EB62D
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E45880_2_078E4588
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E45980_2_078E4598
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E35A50_2_078E35A5
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E35DA0_2_078E35DA
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EC4A80_2_078EC4A8
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EC4B80_2_078EC4B8
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EA4300_2_078EA430
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E54780_2_078E5478
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E93800_2_078E9380
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E93900_2_078E9390
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E5BFB0_2_078E5BFB
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E82A00_2_078E82A0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E3A1D0_2_078E3A1D
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E5A430_2_078E5A43
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E5A500_2_078E5A50
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E69B90_2_078E69B9
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E21580_2_078E2158
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E58030_2_078E5803
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E58100_2_078E5810
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EB0300_2_078EB030
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078EA8470_2_078EA847
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E386A0_2_078E386A
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_004D73373_2_004D7337
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D346A03_2_00D346A0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D335C43_2_00D335C4
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D346903_2_00D34690
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D353903_2_00D35390
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D3DA103_2_00D3DA10
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D811A33_2_00D811A3
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D854203_2_00D85420
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D80D783_2_00D80D78
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D89EF03_2_00D89EF0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D88FA03_2_00D88FA0
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D8B7083_2_00D8B708
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D861213_2_00D86121
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 3_2_00D862203_2_00D86220
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_008C733713_2_008C7337
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_02D2E4D013_2_02D2E4D0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_02D2E4C113_2_02D2E4C1
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_02D2C43C13_2_02D2C43C
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E15ED013_2_06E15ED0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E126D913_2_06E126D9
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1361013_2_06E13610
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1A7D013_2_06E1A7D0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E104A913_2_06E104A9
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E11CB813_2_06E11CB8
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1A44013_2_06E1A440
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E17DBB13_2_06E17DBB
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1004013_2_06E10040
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1102013_2_06E11020
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E169E013_2_06E169E0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1C17013_2_06E1C170
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E136F413_2_06E136F4
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E136C413_2_06E136C4
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E116D013_2_06E116D0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1BE3813_2_06E1BE38
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1A7C013_2_06E1A7C0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1AFA813_2_06E1AFA8
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E10F8913_2_06E10F89
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1375513_2_06E13755
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1372813_2_06E13728
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E134CE13_2_06E134CE
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1547813_2_06E15478
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1C42013_2_06E1C420
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1C43013_2_06E1C430
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1A43013_2_06E1A430
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E135ED13_2_06E135ED
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1B5BB13_2_06E1B5BB
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1458813_2_06E14588
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1B59413_2_06E1B594
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1459813_2_06E14598
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E182A013_2_06E182A0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E15A4313_2_06E15A43
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E15A5013_2_06E15A50
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E13A1D13_2_06E13A1D
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E15BFB13_2_06E15BFB
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1938013_2_06E19380
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1939013_2_06E19390
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1386A13_2_06E1386A
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1580313_2_06E15803
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1000713_2_06E10007
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1581013_2_06E15810
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1215813_2_06E12158
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E1695813_2_06E16958
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_072A23AB13_2_072A23AB
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_072A23B813_2_072A23B8
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 14_2_00DF733714_2_00DF7337
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 14_2_0314C43C14_2_0314C43C
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 14_2_0314E4D014_2_0314E4D0
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 14_2_0314E4C214_2_0314E4C2
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 14_2_0594AD6C14_2_0594AD6C
                      Source: ENQUIRY 050420217274.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: cZltdo.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: jNnIJrO.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.247795647.000000000EF40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.234454200.0000000001046000.00000002.00020000.sdmpBinary or memory string: OriginalFilename8CmnOdWmMX5UQrt.exeR vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.247446698.0000000007D60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.247446698.0000000007D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.235760534.00000000033DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQqSNnlFTRFzQEfrWuqynkYa.exe4 vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.247106086.0000000007B00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.235666947.0000000003391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.479176115.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQqSNnlFTRFzQEfrWuqynkYa.exe4 vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000003.00000000.233790034.00000000005D6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename8CmnOdWmMX5UQrt.exeR vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.491201712.0000000000F50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.491041545.0000000000F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.486184915.0000000000798000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exe, 00000003.00000002.490498566.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exeBinary or memory string: OriginalFilename8CmnOdWmMX5UQrt.exeR vs ENQUIRY 050420217274.exe
                      Source: ENQUIRY 050420217274.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: jNnIJrO.exe, 0000000D.00000002.333043207.00000000010D8000.00000004.00000020.sdmpBinary or memory string: ;.VBP
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/8@4/1
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile created: C:\Users\user\AppData\Roaming\cZltdo.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeMutant created: \Sessions\1\BaseNamedObjects\FYdnuhEuTZzdzcb
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:640:120:WilError_01
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9220.tmpJump to behavior
                      Source: ENQUIRY 050420217274.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: jNnIJrO.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: jNnIJrO.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                      Source: ENQUIRY 050420217274.exe, 00000000.00000002.234360162.0000000000F42000.00000002.00020000.sdmp, ENQUIRY 050420217274.exe, 00000003.00000000.233692366.00000000004D2000.00000002.00020000.sdmp, jNnIJrO.exe, 0000000D.00000000.302105601.00000000008C2000.00000002.00020000.sdmp, jNnIJrO.exe, 0000000E.00000002.336338933.0000000000DF2000.00000002.00020000.sdmp, jNnIJrO.exe, 00000011.00000002.328439064.0000000000202000.00000002.00020000.sdmp, jNnIJrO.exe, 00000012.00000002.481182480.0000000000E22000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: ENQUIRY 050420217274.exeReversingLabs: Detection: 21%
                      Source: ENQUIRY 050420217274.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile read: C:\Users\user\Desktop\ENQUIRY 050420217274.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\ENQUIRY 050420217274.exe 'C:\Users\user\Desktop\ENQUIRY 050420217274.exe'
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cZltdo' /XML 'C:\Users\user\AppData\Local\Temp\tmp9220.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess created: C:\Users\user\Desktop\ENQUIRY 050420217274.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe'
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cZltdo' /XML 'C:\Users\user\AppData\Local\Temp\tmp30B1.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe {path}
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe {path}
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cZltdo' /XML 'C:\Users\user\AppData\Local\Temp\tmp9220.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess created: C:\Users\user\Desktop\ENQUIRY 050420217274.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cZltdo' /XML 'C:\Users\user\AppData\Local\Temp\tmp30B1.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: ENQUIRY 050420217274.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: ENQUIRY 050420217274.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: ENQUIRY 050420217274.exeStatic file information: File size 1224704 > 1048576
                      Source: ENQUIRY 050420217274.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x102400
                      Source: ENQUIRY 050420217274.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: ENQUIRY 050420217274.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: ENQUIRY 050420217274.exeStatic PE information: 0x96043243 [Sun Oct 3 07:03:31 2049 UTC]
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E4E5C pushad ; retf 0056h0_2_078E4E5D
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E758B pushfd ; ret 0_2_078E758C
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_078E3417 push edi; ret 0_2_078E341F
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeCode function: 0_2_07941695 push FFFFFF8Bh; iretd 0_2_07941697
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E14E5C pushad ; retf 0056h13_2_06E14E5D
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E134CE push es; retf 13_2_06E13584
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E134CE push es; retf E132h13_2_06E135A4
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E134CE push es; ret 13_2_06E135EC
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E13417 push edi; ret 13_2_06E1341F
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E135D9 push es; ret 13_2_06E135EC
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E13510 push es; retf 13_2_06E13584
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E713A1 push dword ptr [ebx+ebp-75h]; iretd 13_2_06E713C5
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_06E714B5 push FFFFFF8Bh; iretd 13_2_06E714B7
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_072AC968 pushfd ; retf 13_2_072ACB91
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_072A9CB0 push edx; iretd 13_2_072A9D1A
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 13_2_072ACB8B pushfd ; retf 13_2_072ACB91
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 14_2_05941CB8 push eax; mov dword ptr [esp], ecx14_2_05941CBC
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18632834248
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18632834248
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18632834248
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJump to dropped file
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile created: C:\Users\user\AppData\Roaming\cZltdo.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cZltdo' /XML 'C:\Users\user\AppData\Local\Temp\tmp9220.tmp'
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrOJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrOJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeFile opened: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\enquiry 050420217274.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG809.tmpJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ENQUIRY 050420217274.exeProcess information set: NOOPENFILEERRORBOX