Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION_APRQTRA031244#U00b7PDF.scr.exe

Overview

General Information

Sample name:QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
renamed because original name is a hash value
Original sample name:QUOTATION_APRQTRA031244PDF.scr.exe
Analysis ID:1429042
MD5:966753d0afd440eb5b3c9c09e3d483a6
SHA1:984920dec777434f7f1c658061a1073c9779a067
SHA256:201be09070f9988aa12569e48e32632e2f3f8bdb6d738d3bd62e9045d38bb68e
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code references suspicious native API functions
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION_APRQTRA031244#U00b7PDF.scr.exe (PID: 5512 cmdline: "C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe" MD5: 966753D0AFD440EB5B3C9C09E3D483A6)
    • powershell.exe (PID: 1352 cmdline: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • svchost.exe (PID: 1132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "minors@aoqiinflatables.com", "Password": "RaFv@tsTUK55@@<<!!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4565068932.0000000002D75000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x33e63:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x33ed5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33f5f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33ff1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x3405b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x340cd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34163:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x341f3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 14 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe', CommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, ParentProcessId: 5512, ParentProcessName: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, ProcessCommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe', ProcessId: 1352, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1132, ProcessName: svchost.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                    Found malware configuration
                    Source: 4.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "minors@aoqiinflatables.com", "Password": "RaFv@tsTUK55@@<<!!"}
                    Multi AV Scanner detection for submitted file
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeVirustotal: Detection: 39%Perma Link
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeReversingLabs: Detection: 55%
                    Machine Learning detection for sample
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeJoe Sandbox ML: detected
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092188391.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2095895448.0000000004D80000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2116368930.0000000007FE3000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: ip-api.com
                    Source: svchost.exe, 00000005.00000002.3700573728.000002F41188B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000002.00000002.2108579806.0000000004C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: RegAsm.exe, 00000004.00000002.4565068932.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000002.00000002.2108579806.0000000004691000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000002.00000002.2116368930.0000000007FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 00000002.00000002.2108579806.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: powershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                    Source: svchost.exe, 00000005.00000003.2091605345.000002F411600000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2096084725.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest
                    Source: powershell.exe, 00000002.00000002.2113733209.0000000006FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.U
                    Source: powershell.exe, 00000002.00000002.2113733209.0000000006FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.UEV.psd1id
                    Source: powershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2096084725.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://vksdr.com/goesrecv-monitor

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, KeyHook.cs.Net Code: StartListening
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, l8rGfzxi.cs.Net Code: iCBE
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeCode function: 0_2_024E24480_2_024E2448
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeCode function: 0_2_024ECD3C0_2_024ECD3C
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeCode function: 0_2_024EF5A80_2_024EF5A8
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeCode function: 0_2_024EF5B80_2_024EF5B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0127C9D84_2_0127C9D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01274AC04_2_01274AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0127CF154_2_0127CF15
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01273EA84_2_01273EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_012741F04_2_012741F0
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000000.2069778878.000000000020D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameESET.exe, vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2090933970.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea2008e0c-49e9-4951-9077-6b05297ad1bf.exe4 vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2096084725.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092188391.00000000026F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092188391.00000000026F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea2008e0c-49e9-4951-9077-6b05297ad1bf.exe4 vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2095895448.0000000004D80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeBinary or memory string: OriginalFilenameESET.exe, vs QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, ConstellationPanel.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, ConstellationPanel.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, arzrv9AWTXK.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, arzrv9AWTXK.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, InmxgXcIi8d.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, InmxgXcIi8d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.4ed0000.6.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/11@1/2
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqg0abk2.hdp.ps1Jump to behavior
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegAsm.exe, 00000004.00000002.4565068932.0000000002E33000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002E45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeVirustotal: Detection: 39%
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeReversingLabs: Detection: 55%
                    Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe"
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092188391.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2095895448.0000000004D80000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2116368930.0000000007FE3000.00000004.00000020.00020000.00000000.sdmp
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: 0xC933C395 [Sat Dec 19 14:13:41 2076 UTC]
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exeStatic PE information: section name: .text entropy: 7.9600625120861235

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe PID: 5512, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeMemory allocated: AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeMemory allocated: 26F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1800000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799858Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799400Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798748Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797214Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795451Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794578Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6100Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3458Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2371Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7487Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe TID: 6628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep count: 6100 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep count: 3458 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2220Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1800000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4024Thread sleep count: 2371 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799858s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4024Thread sleep count: 7487 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799400s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799296s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799187s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1799078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798968s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798748s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798421s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1798093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797214s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1797000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796342s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1796015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795670s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795451s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1795015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1794906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1794797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1794687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4492Thread sleep time: -1794578s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 1948Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 6528Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1800000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799858Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799400Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1799078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798748Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1798093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797214Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1797000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1796015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795451Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1795015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 1794578Jump to behavior
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: RegAsm.exe, 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: svchost.exe, 00000005.00000002.3700521202.000002F411853000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3699954800.000002F40C22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: RegAsm.exe, 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: RegAsm.exe, 00000004.00000002.4567603171.0000000005FD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_012770A8 CheckRemoteDebuggerPresent,4_2_012770A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.27f3ea8.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: MyGetProcAddress(hProcess, Name)
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.27f3ea8.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: LoadLibraryA(ref name)
                    Source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, 4TXg3ru.csReference to suspicious API methods: E2N9NsaOZX.OpenProcess(fooW.DuplicateHandle, bInheritHandle: true, (uint)zUby8qg47F2.ProcessID)
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\quotation_aprqtra031244#u00b7pdf.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\eset.exe'
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\quotation_aprqtra031244#u00b7pdf.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\eset.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeQueries volume information: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe PID: 5512, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5016, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4565068932.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe PID: 5512, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5016, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3861450.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.379a1b0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.3749b80.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION_APRQTRA031244#U00b7PDF.scr.exe PID: 5512, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5016, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Command and Scripting Interpreter                    		Logon Script (Windows)Logon Script (Windows)11
                    Obfuscated Files or Information                    		Security Account Manager431
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets161
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job161
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    QUOTATION_APRQTRA031244#U00b7PDF.scr.exe39%VirustotalBrowse
                    QUOTATION_APRQTRA031244#U00b7PDF.scr.exe55%ReversingLabsWin32.Spyware.Negasteal
                    QUOTATION_APRQTRA031244#U00b7PDF.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://vksdr.com/goesrecv-monitor0%VirustotalBrowse
                    http://www.microsoft.co1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: malware
                              		unknown
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.microsoft.copowershell.exe, 00000002.00000002.2116368930.0000000007FE3000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000005.00000003.2091605345.000002F411600000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drfalse
                                    		high
                                    http://crl.ver)svchost.exe, 00000005.00000002.3700573728.000002F41188B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		low
                                      https://github.com/sam210723/goesrecv-monitor/releases/latestQUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2096084725.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        http://go.microspowershell.exe, 00000002.00000002.2108579806.0000000004C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://go.microsoft.UEV.psd1idpowershell.exe, 00000002.00000002.2113733209.0000000006FC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://g.live.com/odclientsettings/Prod1C:edb.log.5.drfalse
                                              		high
                                              https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2108579806.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://vksdr.com/goesrecv-monitorQUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_APRQTRA031244#U00b7PDF.scr.exe, 00000000.00000002.2096084725.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2108579806.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/powershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2111908849.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ip-api.comRegAsm.exe, 00000004.00000002.4565068932.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://go.microsoft.Upowershell.exe, 00000002.00000002.2113733209.0000000006FC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2108579806.0000000004691000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4565068932.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          208.95.112.1
                                                          		ip-api.comUnited States
                                                          		53334TUT-ASUSfalse

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1429042
                                                          Start date and time:2024-04-20 10:22:08 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 55s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:10
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:QUOTATION_APRQTRA031244PDF.scr.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/11@1/2
                                                          EGA Information:
                                                          • Successful, ratio: 66.7%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 22
                                                          • Number of non-executed functions: 4
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                          • Excluded IPs from analysis (whitelisted): 23.55.253.34
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 1352 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          10:22:57API Interceptor21x Sleep call for process: powershell.exe modified
                                                          10:22:58API Interceptor3x Sleep call for process: svchost.exe modified
                                                          10:22:59API Interceptor11647908x Sleep call for process: RegAsm.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          208.95.112.1SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                          • ip-api.com/json/?fields=11827
                                                          xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                          • ip-api.com/json/
                                                          T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                          • ip-api.com/json/?fields=11827
                                                          rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ip-api.comSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                          • 208.95.112.1
                                                          xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                          • 208.95.112.1
                                                          T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                          • 208.95.112.1
                                                          rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TUT-ASUSSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                          • 208.95.112.1
                                                          xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                          • 208.95.112.1
                                                          T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                          • 208.95.112.1
                                                          rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8192
                                                          Entropy (8bit):0.35901589905449205
                                                          Encrypted:false
                                                          SSDEEP:6:6xKdoaaD0JOCEfMuaaD0JOCEfMKQmDCexKdoaaD0JOCEfMuaaD0JOCEfMKQmDC:6aaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
                                                          MD5:C788EDB928436D0CE10A5BF198837D8A
                                                          SHA1:F104B6AB797E0B16362BFB69F5000407CE6EFFD8
                                                          SHA-256:E309925E38D727B91C5B0AD9FC86A778ECD0EBE80261F55E870AD6685B0CC0BD
                                                          SHA-512:61F750C97F2E1EAF623486147F55B4BF39C34DF28DD124FA378973965A2AE0AAA967D71C88BE0D02E1B2D2B22E20199B9E817BE793A10C0CC9D12FE703E18CF2
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:*.>...........k.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................k.............................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1310720
                                                          Entropy (8bit):0.7304384765524662
                                                          Encrypted:false
                                                          SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH04:9JZj5MiKNnNhoxuV
                                                          MD5:1CDC1F6B34782B763A9E4BC4EFDAFAE3
                                                          SHA1:FAC8D5F63F6C23EF815B60D64419E6B70ACB82FE
                                                          SHA-256:2F0AA3BDEE836110A94011DF4FBF05431726428883EF13510BA00A3059B2DA62
                                                          SHA-512:22517C57A20A88B9E7889229E840E29717E7679833E271486174C8985ED0D81E4BA4C0B04E01CF6F8AB6E23F42DF6A54A43E2AAE15891E33415365791229CFA6
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:Extensible storage user DataBase, version 0x620, checksum 0x5f3c1cc4, page size 16384, Windows version 10.0
                                                          Category:dropped
                                                          Size (bytes):1310720
                                                          Entropy (8bit):0.6291251018052872
                                                          Encrypted:false
                                                          SSDEEP:1536:vSB2ESB2SSjlK/HZH03N9Jdt8gYkr3g16l2UPkLk+kDWyrufTRryrUOLUzCJ:vaza9iJa+2UtmOQOL
                                                          MD5:DDDE95BE90A12AD14DB8441C18744DDF
                                                          SHA1:F93524B09569235A766AB857FFE7AB5EF340B9FA
                                                          SHA-256:8EDDF1D04EE89E23D2B3863FA281114D944CCC01E6F95B2D0BDE31230966F163
                                                          SHA-512:6FED373637D2054414B4399212853A2B83A9A33462F33BEEC650E976FAC05A5BFD3283F92B3217DD22DB8D4DE5896A146D1D1469D780943F6CD3C1FBD36E61F9
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:_<..... .......P.......X\...;...{......................0.j..........|{.:....|..h.g..........|{.0.j.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{.................................../;......|{...................M......|{..........................#......0.j.....................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16384
                                                          Entropy (8bit):0.07889783998591283
                                                          Encrypted:false
                                                          SSDEEP:3:NzYetYeoE/tZCl/vnM/9IYNtEl/8tul/AllHol///lZMPCyH:hBzny/Gly/8E/Apo5
                                                          MD5:4839E388D25B4017E55913BA3316530B
                                                          SHA1:21A0BEAD1B412132859D8843BDE14B7D42A4E6D8
                                                          SHA-256:5FF486D324F01AA7D17B4498998E289215A475656038BB169E53C2C54B62D789
                                                          SHA-512:35CE38E133A68E6DBF5C762946297E4FE5EF6EDFCECBBCADE58E504F5E0E8B4A1171A1B4D7F23512BA3993E450CC700CDBD5B2A18D42C8184D6CCA154FC7733B
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:.........................................;...{..:....|.......|{..............|{......|{.L.{......|{...................M......|{.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1510207563435464
                                                          Encrypted:false
                                                          SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                          MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                          SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                          SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                          SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:@...e.................................^..............@..........

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4czr4rc3.sms.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgdkc3bu.gyo.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqg0abk2.hdp.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvhppwqi.1nz.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):55
                                                          Entropy (8bit):4.306461250274409
                                                          Encrypted:false
                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                          Malicious:false
                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):5.913478548840471
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                                                          File size:728'064 bytes
                                                          MD5:966753d0afd440eb5b3c9c09e3d483a6
                                                          SHA1:984920dec777434f7f1c658061a1073c9779a067
                                                          SHA256:201be09070f9988aa12569e48e32632e2f3f8bdb6d738d3bd62e9045d38bb68e
                                                          SHA512:ff02a498ff85670ccf37e35aa964040bda308a9d6db147e141a8a9e9a5858aae327fa78fcea5f6dccd61fd833d0d5b8c29f1c862a9c9c6e3f69e311e8a5446f2
                                                          SSDEEP:12288:aNTvmn4F8XNERDiIPHoIoKz5TxDPCHA+7aM:kOcMNERDoITjWaM
                                                          TLSH:29F47D463785DF22C22F02B5C5A382F8536BEE00EC4797C7F185FE6A39B229B5952543
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3...............0..j............... ........@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:2d525272484c550b

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4588de
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xC933C395 [Sat Dec 19 14:13:41 2076 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x588840x57.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x5ac7a.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x568e40x56a00a6bcaf7b0fb939f0bd477a1c26549e63False0.9083694083694084data7.9600625120861235IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x5a0000x5ac7a0x5ae003545a72cb7033e20b7dd2bfe98800726False0.03448729797111417data2.3994106457887874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xb60000xc0x200497fa2e8416b1e8c83a0f66cefe8d96dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x5a2200x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 11811 x 11811 px/m0.022916235168801966
                                                          RT_ICON0x9c2480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m0.04400804448124926
                                                          RT_ICON0xaca700x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m0.07853094000944733
                                                          RT_ICON0xb0c980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m0.10020746887966805
                                                          RT_ICON0xb32400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m0.14329268292682926
                                                          RT_ICON0xb42e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m0.20035460992907803
                                                          RT_GROUP_ICON0xb47500x5adata0.7222222222222222
                                                          RT_VERSION0xb47ac0x2e4data0.4391891891891892
                                                          RT_MANIFEST0xb4a900x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 20, 2024 10:22:59.869514942 CEST4970180192.168.2.6208.95.112.1
                                                          Apr 20, 2024 10:22:59.985450029 CEST8049701208.95.112.1192.168.2.6
                                                          Apr 20, 2024 10:22:59.985537052 CEST4970180192.168.2.6208.95.112.1
                                                          Apr 20, 2024 10:22:59.986644983 CEST4970180192.168.2.6208.95.112.1
                                                          Apr 20, 2024 10:23:00.164879084 CEST8049701208.95.112.1192.168.2.6
                                                          Apr 20, 2024 10:23:00.211282969 CEST4970180192.168.2.6208.95.112.1
                                                          Apr 20, 2024 10:24:19.625794888 CEST8049701208.95.112.1192.168.2.6
                                                          Apr 20, 2024 10:24:19.625884056 CEST4970180192.168.2.6208.95.112.1
                                                          Apr 20, 2024 10:24:40.181667089 CEST4970180192.168.2.6208.95.112.1
                                                          Apr 20, 2024 10:24:40.297799110 CEST8049701208.95.112.1192.168.2.6

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 20, 2024 10:22:59.760421991 CEST6121453192.168.2.61.1.1.1
                                                          Apr 20, 2024 10:22:59.865302086 CEST53612141.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Apr 20, 2024 10:22:59.760421991 CEST192.168.2.61.1.1.10xc29Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Apr 20, 2024 10:22:59.865302086 CEST1.1.1.1192.168.2.60xc29No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • ip-api.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649701208.95.112.1805016C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          Apr 20, 2024 10:22:59.986644983 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                          Host: ip-api.com
                                                          Connection: Keep-Alive
                                                          Apr 20, 2024 10:23:00.164879084 CEST174INHTTP/1.1 200 OK
                                                          Date: Sat, 20 Apr 2024 08:22:59 GMT
                                                          Content-Type: text/plain; charset=utf-8
                                                          Content-Length: 5
                                                          Access-Control-Allow-Origin: *
                                                          X-Ttl: 60
                                                          X-Rl: 44
                                                          Data Raw: 74 72 75 65 0a
                                                          Data Ascii: true


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:10:22:56
                                                          Start date:20/04/2024
                                                          Path:C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe"
                                                          Imagebase:0x1b0000
                                                          File size:728'064 bytes
                                                          MD5 hash:966753D0AFD440EB5B3C9C09E3D483A6
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2092403519.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:10:22:56
                                                          Start date:20/04/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\QUOTATION_APRQTRA031244#U00b7PDF.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESET.exe'
                                                          Imagebase:0xd00000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:10:22:56
                                                          Start date:20/04/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:10:22:57
                                                          Start date:20/04/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                          Imagebase:0xa00000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4565068932.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4552565529.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:10:22:57
                                                          Start date:20/04/2024
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                          Imagebase:0x7ff7403e0000
                                                          File size:55'320 bytes
                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:8.5%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:28
                                                            Total number of Limit Nodes:3
                                                            execution_graph 15310 24ec7c0 15311 24ec806 15310->15311 15315 24ecd98 15311->15315 15318 24ecda8 15311->15318 15312 24ec8f3 15321 24ec9fc 15315->15321 15319 24ecdd6 15318->15319 15320 24ec9fc DuplicateHandle 15318->15320 15319->15312 15320->15319 15322 24ece10 DuplicateHandle 15321->15322 15323 24ecdd6 15322->15323 15323->15312 15324 24ea430 15325 24ea43f 15324->15325 15327 24ea528 15324->15327 15328 24ea539 15327->15328 15329 24ea55c 15327->15329 15328->15329 15335 24ea7b3 15328->15335 15339 24ea7c0 15328->15339 15329->15325 15330 24ea554 15330->15329 15331 24ea760 GetModuleHandleW 15330->15331 15332 24ea78d 15331->15332 15332->15325 15336 24ea7d4 15335->15336 15338 24ea7f9 15336->15338 15343 24e98b0 15336->15343 15338->15330 15340 24ea7d4 15339->15340 15341 24ea7f9 15340->15341 15342 24e98b0 LoadLibraryExW 15340->15342 15341->15330 15342->15341 15344 24ea9a0 LoadLibraryExW 15343->15344 15346 24eaa19 15344->15346 15346->15338

                                                            Executed Functions

                                                            Function 024EA528 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 024EA77E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: sJvo
                                                            • API String ID: 4139908857-2175498945
                                                            • Opcode ID: 2c76332eeedf93c6426dda92c807663d4f91420f10ca9b4053261dceac339fa1
                                                            • Instruction ID: e70773fdd96dfa2b88ef0dd9f2d2b9f70b081e6a2f6891ad64fc8095d3958a00
                                                            • Opcode Fuzzy Hash: 2c76332eeedf93c6426dda92c807663d4f91420f10ca9b4053261dceac339fa1
                                                            • Instruction Fuzzy Hash: BF710270A00B158FEB24DF2AC55575ABBF1FF88705F008A2ED48A97B50DB74E849CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024EC9FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 57 24ec9fc-24ecea4 DuplicateHandle 59 24ecead-24ececa 57->59 60 24ecea6-24eceac 57->60 60->59
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024ECDD6,?,?,?,?,?), ref: 024ECE97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID: sJvo
                                                            • API String ID: 3793708945-2175498945
                                                            • Opcode ID: 9219941970d4a7e55e89c57ebd22e9343adc30d223f074e5353ddd28131bb1bc
                                                            • Instruction ID: f1d6552727ac01b6149e0b7f135ea95c2b0c815d312bd657ee07cd791bfed6ae
                                                            • Opcode Fuzzy Hash: 9219941970d4a7e55e89c57ebd22e9343adc30d223f074e5353ddd28131bb1bc
                                                            • Instruction Fuzzy Hash: 0321E4B5900249EFDB10CF9AD984BEEBBF5FB48320F14845AE919A3310D374A950CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024ECE09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 63 24ece09-24ecea4 DuplicateHandle 64 24ecead-24ececa 63->64 65 24ecea6-24eceac 63->65 65->64
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024ECDD6,?,?,?,?,?), ref: 024ECE97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID: sJvo
                                                            • API String ID: 3793708945-2175498945
                                                            • Opcode ID: 48b6707f6a601bea6a72a8a0b0c26b2558cdde0afe2c687131a8183a36297bfb
                                                            • Instruction ID: 11487c03f8f376139a24e66e6395fb4aa6beddfdf8bec05f582d4dbcb238f3c2
                                                            • Opcode Fuzzy Hash: 48b6707f6a601bea6a72a8a0b0c26b2558cdde0afe2c687131a8183a36297bfb
                                                            • Instruction Fuzzy Hash: 2321F4B59002499FDB10CFAAD584ADEBFF4FB48314F14845AE958A3210D374A951CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024E98B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 68 24e98b0-24ea9e0 70 24ea9e8-24eaa17 LoadLibraryExW 68->70 71 24ea9e2-24ea9e5 68->71 72 24eaa19-24eaa1f 70->72 73 24eaa20-24eaa3d 70->73 71->70 72->73
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,024EA7F9,00000800,00000000,00000000), ref: 024EAA0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: sJvo
                                                            • API String ID: 1029625771-2175498945
                                                            • Opcode ID: 5e69803cd2c685e55c19a39e4690f66267d34436cf4c711c986c4b7154d994da
                                                            • Instruction ID: 324f6a6c825aa38800ace7c8bf45a66ee42460843ebffb0e3c6f440533eb41cd
                                                            • Opcode Fuzzy Hash: 5e69803cd2c685e55c19a39e4690f66267d34436cf4c711c986c4b7154d994da
                                                            • Instruction Fuzzy Hash: 821103B69003099FDB10CF9AC544BDEFBF4EB88314F11842AE519A7200C3B5A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024EA998 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 76 24ea998-24ea9e0 77 24ea9e8-24eaa17 LoadLibraryExW 76->77 78 24ea9e2-24ea9e5 76->78 79 24eaa19-24eaa1f 77->79 80 24eaa20-24eaa3d 77->80 78->77 79->80
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,024EA7F9,00000800,00000000,00000000), ref: 024EAA0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: sJvo
                                                            • API String ID: 1029625771-2175498945
                                                            • Opcode ID: 5214b8117a546e2ef412adba2319818c448901adee67c31c8f2bd0390b04b1b9
                                                            • Instruction ID: 3190b02b91d16c96f78c0a281c81728426fae63c40c4cceb0ce6dc0402a8c316
                                                            • Opcode Fuzzy Hash: 5214b8117a546e2ef412adba2319818c448901adee67c31c8f2bd0390b04b1b9
                                                            • Instruction Fuzzy Hash: 831112B6D003498FDB10CFAAC544BDEFBF4AB88324F14841ED859A7610C378A545CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024EA718 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 83 24ea718-24ea758 84 24ea75a-24ea75d 83->84 85 24ea760-24ea78b GetModuleHandleW 83->85 84->85 86 24ea78d-24ea793 85->86 87 24ea794-24ea7a8 85->87 86->87
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 024EA77E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: sJvo
                                                            • API String ID: 4139908857-2175498945
                                                            • Opcode ID: e1b200c4fb94da99e5e4781e6d94fa50550328b2e410118ab557b8977d31b6e9
                                                            • Instruction ID: fe08819317d3eddb7484e814d48d7998a09187be507c573595d52d02ddfeb609
                                                            • Opcode Fuzzy Hash: e1b200c4fb94da99e5e4781e6d94fa50550328b2e410118ab557b8977d31b6e9
                                                            • Instruction Fuzzy Hash: 80110FB6C007598FDB10CF9AC544B9EFBF4AB88224F11841AD819A7210C3B9A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0084D3B4 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2090846189.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_84d000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2f62f2aa95e70a20be9ff308c6ecb674f307482eaa1db657fda752369bd250d
                                                            • Instruction ID: e8be1e6099588372e83fd57bf6e9a29d504570baefc56f370c0d35151af364f5
                                                            • Opcode Fuzzy Hash: e2f62f2aa95e70a20be9ff308c6ecb674f307482eaa1db657fda752369bd250d
                                                            • Instruction Fuzzy Hash: 2C212872504348DFDB05DF14D9C0B26BF65FB94314F20C569E9098B256C336E856CAA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0085D01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2090904216.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_85d000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: df66a6e5999a72d51fa57b513bca284427009508a42305ee23029da21ac7a321
                                                            • Instruction ID: e24af5d637b724be9f1fb88d98d68f5b60ccc902aba80deaa83dada68b204d4a
                                                            • Opcode Fuzzy Hash: df66a6e5999a72d51fa57b513bca284427009508a42305ee23029da21ac7a321
                                                            • Instruction Fuzzy Hash: 09212275604704EFDB24DF14D9C0B26BB61FB84319F20C56DDD0A8B292C37AD80BCA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0085D005 Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2090904216.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_85d000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d774dac9732a3809698d4a13b5cac562bd93677afbaa5fa0db69fa1732533d18
                                                            • Instruction ID: e9366d46697ae4e1d489ce18b7c47281e464709423115bef0a0431307ad05071
                                                            • Opcode Fuzzy Hash: d774dac9732a3809698d4a13b5cac562bd93677afbaa5fa0db69fa1732533d18
                                                            • Instruction Fuzzy Hash: F0218E755097808FDB12CF20D990B15BF71FB46314F28C5EADC498B6A7C33A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0084D3AF Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2090846189.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_84d000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction ID: c2692c97d817f85fb045a75ca5a5ef3baeaf692468cdb8f196e1130f8f872349
                                                            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction Fuzzy Hash: EC11E6B6504384CFCB15CF10D5C4B16BF71FB94314F24C5A9D8494B656C33AE856CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 024EF5B8 Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cdd324c2d5e36dee8a26eeb4ee94cfce33faddcee4af2b2db4b2b516a72e2a79
                                                            • Instruction ID: 9db1a075889e3363f6cd56078a775963259d78aace7e24a7b60956054f8c8e2e
                                                            • Opcode Fuzzy Hash: cdd324c2d5e36dee8a26eeb4ee94cfce33faddcee4af2b2db4b2b516a72e2a79
                                                            • Instruction Fuzzy Hash: 481295B2C917458AE710CF25EDCC1893BA1B741318BD04A1AD2611B2E9EBB4166EEF4C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024ECD3C Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4753e84bce91c7ce0d10091f246081fcf099b10c56e3ad7f3111da4cabece86
                                                            • Instruction ID: a203b8c9857365411fbd0ed893806b375d0eeb88960efb21f641891f1f8c4f2a
                                                            • Opcode Fuzzy Hash: c4753e84bce91c7ce0d10091f246081fcf099b10c56e3ad7f3111da4cabece86
                                                            • Instruction Fuzzy Hash: 55A18C32F002098FDF15DFA5C8809AEB7B2FF85315B15856AE806AB365DB31E916CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024EF5A8 Relevance: .2, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cac40ae723a7448044db0e4e3f76469d21d91ad9cad7aa210d10ec9cb6b02356
                                                            • Instruction ID: 93eaaa86c794aa85351bbea1a8535dd42938c33c0e8d92e4bf16d077e3c94cca
                                                            • Opcode Fuzzy Hash: cac40ae723a7448044db0e4e3f76469d21d91ad9cad7aa210d10ec9cb6b02356
                                                            • Instruction Fuzzy Hash: A2C129B2C917458BD710CF25EC8C1893BB1BB85314FD14B0AD2612B2D8EBB4166EEF48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 024E2448 Relevance: .2, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2091944678.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_24e0000_QUOTATION_APRQTRA031244#U00b7PDF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc78c1e0462ae5dcbdf50dcfe97b84927cfa341218303ac41c5d105ed8ea36d2
                                                            • Instruction ID: b665fbdd8738fae3c3510a417d07b87931c868821252b3fcf414000462b76ac8
                                                            • Opcode Fuzzy Hash: bc78c1e0462ae5dcbdf50dcfe97b84927cfa341218303ac41c5d105ed8ea36d2
                                                            • Instruction Fuzzy Hash: 5C415D414456558FFF26C6758C752C22F789F9B16EB0092C7DC6A896E2F9C804CBC793
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 07361C10 Relevance: .6, Instructions: 604COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2114660388.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7360000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c4ea4f6879320c9dc8e098b01be68ae7bb186cf8040e7f52365dfed5c8a8c29
                                                            • Instruction ID: 85b422bf729190f0d0c28ae15fb9ea788ebdc2260c4bc0a72a6a8273b4af2852
                                                            • Opcode Fuzzy Hash: 5c4ea4f6879320c9dc8e098b01be68ae7bb186cf8040e7f52365dfed5c8a8c29
                                                            • Instruction Fuzzy Hash: 241259B2B0435ACFE7119B7888157ABBBB6AFC2210F14C06BD549CF656DB31C941C7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00CD29F0 Relevance: .2, Instructions: 207COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2108268061.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_cd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce8ee2b1404a98e9884eef29828b1f538cd52101a72f8e541a8eecb7d46edbf2
                                                            • Instruction ID: 92e7e6176ae46fba32d86222067e0018024d4d13ae23effc68d76ee66a1e7733
                                                            • Opcode Fuzzy Hash: ce8ee2b1404a98e9884eef29828b1f538cd52101a72f8e541a8eecb7d46edbf2
                                                            • Instruction Fuzzy Hash: F6918D74A00645CFCB15CF59C4949AEFBB1FF88310B2486AADA15AB365C735FC52CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07361BF0 Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2114660388.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7360000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18d3a33795d5c458a55b5836519183c44e7dc57a961d0d77843204fbe3523184
                                                            • Instruction ID: e38503f1d3c132b324c4f72b47b5676bb5479e2f7f661e2e9a5b19203debd674
                                                            • Opcode Fuzzy Hash: 18d3a33795d5c458a55b5836519183c44e7dc57a961d0d77843204fbe3523184
                                                            • Instruction Fuzzy Hash: 3B4129F2A00306CFEB21CF25C519AB9BBB2AF85350F15C0A6D549DF659D731D840C7A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00CD2B00 Relevance: .1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2108268061.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_cd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 177a1a0c6a2f1a141848ee8adb43d8446af1347a0306fee21823b3280992df70
                                                            • Instruction ID: eca7ac7ad75f89ee6fc93dbc9f57864bf22530dc9eadbb44f8d2dbc18bb29829
                                                            • Opcode Fuzzy Hash: 177a1a0c6a2f1a141848ee8adb43d8446af1347a0306fee21823b3280992df70
                                                            • Instruction Fuzzy Hash: 59414B74A00605DFCB05CF59C5989AEFBB1FF88310B1581AACA15AB364C736FD52CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00CD4BF0 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2108268061.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_cd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16db0c48e4c68d41a68c1d8d4cc527dfdaf5d7600ab5fa6e42017e5cb509b3a9
                                                            • Instruction ID: d68c2a34826546b32d7888fd2dd4071d78ca43c812060ba3b396cdaa63d28fd0
                                                            • Opcode Fuzzy Hash: 16db0c48e4c68d41a68c1d8d4cc527dfdaf5d7600ab5fa6e42017e5cb509b3a9
                                                            • Instruction Fuzzy Hash: 29215075A0A385CFDB06CB68C4905A9BFB1BF8A311B1A81D7D644DB363C335AC05CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00CD4BD0 Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2108268061.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_cd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 651afcdc0051d0b66bdc0841acf7273732fcb0ac29e34aa8d11dc69b92e77775
                                                            • Instruction ID: 882c03ffc61c46627067e1e6a18271cd77bc4d7a0478cd59884b900ce8218ccd
                                                            • Opcode Fuzzy Hash: 651afcdc0051d0b66bdc0841acf7273732fcb0ac29e34aa8d11dc69b92e77775
                                                            • Instruction Fuzzy Hash: 61213074A05249DFCB05CFA8C4809AEBFB1FF8A310B1581AAD505EB362C735ED41CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A3D01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107401570.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_a3d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8bccdeb34f94621ee76b9f8a0576ced22d841ba3481009302d06f3cd3ddf8fef
                                                            • Instruction ID: 76928b6738e5bd779c2fa5b5e884c5480d6b38e9253840cdcc75f05180d04cd9
                                                            • Opcode Fuzzy Hash: 8bccdeb34f94621ee76b9f8a0576ced22d841ba3481009302d06f3cd3ddf8fef
                                                            • Instruction Fuzzy Hash: FF012672404340DAE7184F25ED80B67BFA8DF42B34F18C02AFD0A1B242C6B89941CAB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A3D01C Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107401570.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_a3d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 727598a9bac873e2f4d4e33b6b948bb134000441c746a93fdddefa097516e0ae
                                                            • Instruction ID: b54ea05423b44a8e71eb8b1e1f685a64d2eb7b839a7ef7d8d1a942ab3d8c6bea
                                                            • Opcode Fuzzy Hash: 727598a9bac873e2f4d4e33b6b948bb134000441c746a93fdddefa097516e0ae
                                                            • Instruction Fuzzy Hash: BBF0C272405344AEE7148B15D984B62FF98EB42734F18C05AED491A682C2799C40CAB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:8.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:3
                                                            Total number of Limit Nodes:0
                                                            execution_graph 13194 12770a8 13195 12770ec CheckRemoteDebuggerPresent 13194->13195 13196 127712e 13195->13196

                                                            Executed Functions

                                                            Function 012770A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 551 12770a8-127712c CheckRemoteDebuggerPresent 553 1277135-1277170 551->553 554 127712e-1277134 551->554 554->553
                                                            APIs
                                                            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0127711F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.4563689085.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_1270000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: CheckDebuggerPresentRemote
                                                            • String ID:
                                                            • API String ID: 3662101638-0
                                                            • Opcode ID: 2cc674d4ca7259ad165e9f9201b6fd37b74a602f5ac6e862a411e42c8a85e4f4
                                                            • Instruction ID: 19a4313ac0d857af093c912a8c6c10bb6239304bb9e8997d0fe4c67de41bb282
                                                            • Opcode Fuzzy Hash: 2cc674d4ca7259ad165e9f9201b6fd37b74a602f5ac6e862a411e42c8a85e4f4
                                                            • Instruction Fuzzy Hash: 322139B290025ACFDB10CF9AD884BEEFBF4AF49320F14845AE559A7250D778A944CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012770A0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 544 12770a0-127712c CheckRemoteDebuggerPresent 547 1277135-1277170 544->547 548 127712e-1277134 544->548 548->547
                                                            APIs
                                                            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0127711F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.4563689085.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_1270000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID: CheckDebuggerPresentRemote
                                                            • String ID:
                                                            • API String ID: 3662101638-0
                                                            • Opcode ID: bb480729af6639a66bc3d019bd48682b9dcf1a1e79466731c437ceaa2bd8a89f
                                                            • Instruction ID: b2ecd9ea425574da769f1a6c4f43f94b33766cf5ec479d8981af19b0950be3c8
                                                            • Opcode Fuzzy Hash: bb480729af6639a66bc3d019bd48682b9dcf1a1e79466731c437ceaa2bd8a89f
                                                            • Instruction Fuzzy Hash: BF214AB2900259CFDB00CF9AD984BEEFBF4EF59320F14845AE555A3240D778A944CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0122D01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.4559836394.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_122d000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6fa578d7cf7f481c5aea8bdae6bb549726a8219c9d5d35429935a2371193127
                                                            • Instruction ID: cf8b9782903331508d215d621032c84262d6bcad0aaa3c23102cb1ec232b4502
                                                            • Opcode Fuzzy Hash: d6fa578d7cf7f481c5aea8bdae6bb549726a8219c9d5d35429935a2371193127
                                                            • Instruction Fuzzy Hash: 21214275614248EFCB14CF64D9C0B2ABB61EB84314F20C56DDA0A0B262C77AD407CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0122D006 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.4559836394.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_122d000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c85dc2e63ab412ec94ad4be74184271ffc7d016f8c3650d94cfe9a83aa06210
                                                            • Instruction ID: 861cd33749e6049558189b6d6aa646b87408a9120d7259ec759c412801e06db4
                                                            • Opcode Fuzzy Hash: 1c85dc2e63ab412ec94ad4be74184271ffc7d016f8c3650d94cfe9a83aa06210
                                                            • Instruction Fuzzy Hash: 4021B0754083849FCB02CF24D994715BF71EB46314F28C5DAD9498F267C33A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%