Loading ...

Play interactive tourEdit tour

Windows Analysis Report TqSDHvsKpt.exe

Overview

General Information

Sample Name:TqSDHvsKpt.exe
Analysis ID:502644
MD5:b063d4a9942d8b820ad62d2359d5263d
SHA1:ed42b11ac340a8b742ce61c2559b0154bcd75740
SHA256:25cb04e6ce30f98f9cad9aa1fab3682067d2fee08cc09fe7accf657b2df04a23
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Hides threads from debuggers
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • TqSDHvsKpt.exe (PID: 5876 cmdline: 'C:\Users\user\Desktop\TqSDHvsKpt.exe' MD5: B063D4A9942D8B820AD62D2359D5263D)
    • TqSDHvsKpt.exe (PID: 2900 cmdline: C:\Users\user\Desktop\TqSDHvsKpt.exe MD5: B063D4A9942D8B820AD62D2359D5263D)
    • WerFault.exe (PID: 4828 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 2120 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "dpo23@dpobumber.com", "Password": "m~IzyO$8asT+", "Host": "mail.dpobumber.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.519878184.0000000002D71000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.519878184.0000000002D71000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.512013569.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.512013569.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.253482513.0000000004D24000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.TqSDHvsKpt.exe.4d249d0.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.TqSDHvsKpt.exe.4d249d0.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.TqSDHvsKpt.exe.4d249d0.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.TqSDHvsKpt.exe.4d249d0.8.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.TqSDHvsKpt.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.TqSDHvsKpt.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "dpo23@dpobumber.com", "Password": "m~IzyO$8asT+", "Host": "mail.dpobumber.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: TqSDHvsKpt.exeVirustotal: Detection: 9%Perma Link
                      Source: TqSDHvsKpt.exeReversingLabs: Detection: 46%
                      Machine Learning detection for sampleShow sources
                      Source: TqSDHvsKpt.exeJoe Sandbox ML: detected
                      Source: 1.2.TqSDHvsKpt.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: TqSDHvsKpt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Source: TqSDHvsKpt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: TqSDHvsKpt.PDB source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: zc.pdbis3B~ source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: iVisualBasic.pdb source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: .pdb) source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\TqSDHvsKpt.PDB source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 4x nop then jmp 030C0CBDh0_2_030C0A18
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 4x nop then jmp 030C0CBDh0_2_030C0A08
                      Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET /attachments/893177342426509335/897762616452214784/6F7A5FA1.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
                      Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Source: global trafficTCP traffic: 192.168.2.7:49826 -> 212.1.210.54:587
                      Source: global trafficTCP traffic: 192.168.2.7:49826 -> 212.1.210.54:587
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: TqSDHvsKpt.exe, 00000001.00000002.519878184.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: TqSDHvsKpt.exe, 00000001.00000002.519878184.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: TqSDHvsKpt.exe, 00000001.00000002.519878184.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://PPyygN.com
                      Source: TqSDHvsKpt.exe, 00000001.00000002.521543421.00000000030D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: TqSDHvsKpt.exe, 00000001.00000002.518078908.0000000001026000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: TqSDHvsKpt.exe, 00000001.00000002.521543421.00000000030D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: TqSDHvsKpt.exe, 00000001.00000002.521543421.00000000030D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: WerFault.exe, 00000004.00000002.281024250.0000000005230000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: TqSDHvsKpt.exe, 00000001.00000002.521543421.00000000030D0000.00000004.00000001.sdmpString found in binary or memory: http://dpobumber.com
                      Source: TqSDHvsKpt.exe, 00000001.00000002.521543421.00000000030D0000.00000004.00000001.sdmpString found in binary or memory: http://mail.dpobumber.com
                      Source: TqSDHvsKpt.exe, 00000001.00000002.518078908.0000000001026000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca
                      Source: TqSDHvsKpt.exe, 00000001.00000002.521543421.00000000030D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: TqSDHvsKpt.exe, 00000000.00000002.249252982.0000000003111000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                      Source: TqSDHvsKpt.exe, 00000001.00000002.519878184.0000000002D71000.00000004.00000001.sdmp, TqSDHvsKpt.exe, 00000001.00000002.521490422.00000000030C6000.00000004.00000001.sdmp, TqSDHvsKpt.exe, 00000001.00000002.521658876.00000000030FB000.00000004.00000001.sdmpString found in binary or memory: https://YdNYyLP8dl3DqFR.org
                      Source: TqSDHvsKpt.exe, 00000000.00000002.249252982.0000000003111000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com
                      Source: TqSDHvsKpt.exe, 00000000.00000002.249252982.0000000003111000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/897762616452214784/6F7A5FA1.jpg
                      Source: TqSDHvsKpt.exe, 00000001.00000002.521543421.00000000030D0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: TqSDHvsKpt.exe, 00000000.00000002.253482513.0000000004D24000.00000004.00000001.sdmp, TqSDHvsKpt.exe, 00000001.00000002.512013569.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: TqSDHvsKpt.exe, 00000001.00000002.519878184.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
                      Source: global trafficHTTP traffic detected: GET /attachments/893177342426509335/897762616452214784/6F7A5FA1.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                      Source: TqSDHvsKpt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 2120
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030C31E00_2_030C31E0
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030C04E80_2_030C04E8
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030C2BA80_2_030C2BA8
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030C0A180_2_030C0A18
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030C0A080_2_030C0A08
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_009D2D501_2_009D2D50
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_009D26181_2_009D2618
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_009D1FE21_2_009D1FE2
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_009D9DB81_2_009D9DB8
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_00F346A01_2_00F346A0
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_00F33D421_2_00F33D42
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_00F346901_2_00F34690
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_00F346721_2_00F34672
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_00F3D2F01_2_00F3D2F0
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030CAE30 NtSetInformationThread,0_2_030CAE30
                      Source: TqSDHvsKpt.exe, 00000000.00000002.248368161.0000000000D3C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValorantLogin.exe< vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exe, 00000000.00000002.250257601.0000000003704000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClWJ AmB.exe2 vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exe, 00000000.00000002.250298370.0000000004119000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAlienRunPE.exe6 vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exe, 00000001.00000000.245512606.000000000088C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValorantLogin.exe< vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exe, 00000001.00000002.517121498.0000000000FBA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exe, 00000001.00000002.512013569.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameClWJ AmB.exe2 vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exe, 00000001.00000002.514312781.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exeBinary or memory string: OriginalFilenameValorantLogin.exe< vs TqSDHvsKpt.exe
                      Source: TqSDHvsKpt.exeVirustotal: Detection: 9%
                      Source: TqSDHvsKpt.exeReversingLabs: Detection: 46%
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeFile read: C:\Users\user\Desktop\TqSDHvsKpt.exeJump to behavior
                      Source: TqSDHvsKpt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\TqSDHvsKpt.exe 'C:\Users\user\Desktop\TqSDHvsKpt.exe'
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess created: C:\Users\user\Desktop\TqSDHvsKpt.exe C:\Users\user\Desktop\TqSDHvsKpt.exe
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 2120
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess created: C:\Users\user\Desktop\TqSDHvsKpt.exe C:\Users\user\Desktop\TqSDHvsKpt.exeJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB24.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@3/3
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5876
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: TqSDHvsKpt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: TqSDHvsKpt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: TqSDHvsKpt.PDB source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: zc.pdbis3B~ source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: iVisualBasic.pdb source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: .pdb) source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\TqSDHvsKpt.PDB source: TqSDHvsKpt.exe, 00000000.00000002.248524110.00000000010F9000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.258315000.00000000056C1000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_00D37B65 pushfd ; iretd 0_2_00D37B68
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030C661C push 8B6A7664h; iretd 0_2_030C6629
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 0_2_030C66D9 push 5D0C50FFh; ret 0_2_030C667C
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_00887B65 pushfd ; iretd 1_2_00887B68
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeCode function: 1_2_009D7A37 push edi; retn 0000h1_2_009D7A39
                      Source: TqSDHvsKpt.exeStatic PE information: 0xDEF32B19 [Mon Jul 12 13:43:53 2088 UTC]
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exe TID: 4032Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exe TID: 5828Thread sleep count: 544 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exe TID: 5828Thread sleep count: 9307 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWindow / User API: threadDelayed 544Jump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWindow / User API: threadDelayed 9307Jump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Amcache.hve.4.drBinary or memory string: VMware
                      Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.4.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000004.00000002.280814469.00000000035FC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 00000004.00000002.280814469.00000000035FC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWing Pseudo-Interface7
                      Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
                      Source: TqSDHvsKpt.exe, 00000001.00000002.518078908.0000000001026000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

                      Anti Debugging:

                      barindex
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\TqSDHvsKpt.exeThread information set: HideFromDebugger