Windows Analysis Report
Quotation Order.exe

Overview

General Information

Sample name:	Quotation Order.exe
Analysis ID:	1432027
MD5:	d797aae1eaf481e9c887482192b84109
SHA1:	acf58b4eb3f0ffda9a2cd91def583422a11ed873
SHA256:	cbda8606094d0493370b0f219edaba9be92444967aa9259d3e9323314dca2daa
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Changes security center settings (notifications, updates, antivirus, firewall)

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Disables UAC (registry)

Drops PE files with benign system names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Conhost Spawned By Uncommon Parent Process

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Found malware configuration

Source: 26.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.bonnyriggdentalsurgery.com.au", "Username": "hr1@bonnyriggdentalsurgery.com.au", "Password": "Sages101*"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: Quotation Order.exe	ReversingLabs: Detection: 31%
Source: Quotation Order.exe	Virustotal: Detection: 28%			Perma Link

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation Order.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6284, type: MEMORYSTR

Source: Quotation Order.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.pdbmscorlib.dllSystem.dll@ source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: AddInProcess32.pdbpw source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.pdb source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: mscorlib.pdb` source: WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini\??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2499.tmp.dmp.32.dr
Source:	Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: fic.pdbn source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb` source: WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbCon source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb#( source: WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbmeerCo source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb@ source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbpHj! source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: mscorlib.pdb" source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: AddInProcess32.pdb source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: mscorlib.pdb source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp, WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)\??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: caspol.pdb source: avdfUcC.exe.31.dr
Source:	Binary string: System.Core.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 192.254.225.166 192.254.225.166

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.bonnyriggdentalsurgery.com.au

Source: svchost.exe, 00000024.00000003.1426512052.000002B805E10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000024.00000003.1390016964.000002B804EE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519109221.000002B805CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbpose
Source: svchost.exe, 00000024.00000002.2518170013.000002B805C13000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.36.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425819438.000002B804E72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01
Source: svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesA
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesEncr
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdonMe
Source: svchost.exe, 00000024.00000003.1425060202.000002B805783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-sod
Source: svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd.
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0nw
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000024.00000003.1389377028.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1399093323.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpServ
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 00000024.00000002.2519461243.000002B805CF0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426345130.000002B805C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518233779.000002B805C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519335064.000002B805CD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1402825732.000002B80570F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.bonnyriggdentalsurgery.com.au
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0T
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scon
Source: svchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scrf
Source: svchost.exe, 00000024.00000003.1434799034.000002B805766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scs-cbc
Source: svchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scyc=
Source: svchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518883672.000002B805C9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1
Source: svchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustnce
Source: Quotation Order.exe, 00000000.00000002.1287260691.000002598039A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000008.00000002.2513040274.0000029957118000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2511975756.0000029956887000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: Amcache.hve.35.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000003.00000002.1365924349.00000215E6C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co4
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359102832.000002B805757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwamvice
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1362941126.00000215E6C74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364259093.00000215E6C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366086819.00000215E6C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1362821532.00000215E6C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000024.00000002.2516513363.000002B804F13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519109221.000002B805CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000024.00000002.2518170013.000002B805C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfe.com
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000024.00000003.1390016964.000002B804EE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515392408.000002B804E81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518233779.000002B805C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$V
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srfo.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfIssuerP
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srftificates
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359102832.000002B805757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000024.00000003.1358375444.000002B80575A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000024.00000002.2519246321.000002B805CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf3
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000024.00000002.2518633439.000002B805C7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515629844.000002B804E9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000024.00000002.2516513363.000002B804F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comwwCP=
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfi
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf(
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf7
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1363948684.00000215E6C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, 8WWn.cs	.Net Code: lkBm6YL8X
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, 8WWn.cs	.Net Code: lkBm6YL8X

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation Order.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CEC99	0_2_00007FF7C19CEC99
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C8DB8	0_2_00007FF7C19C8DB8
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C4600	0_2_00007FF7C19C4600
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19D4D25	0_2_00007FF7C19D4D25
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CBD30	0_2_00007FF7C19CBD30
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C2528	0_2_00007FF7C19C2528
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CC111	0_2_00007FF7C19CC111
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C44B0	0_2_00007FF7C19C44B0
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C8EF0	0_2_00007FF7C19C8EF0
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19D4DB4	0_2_00007FF7C19D4DB4
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BEC99	15_2_00007FF7C19BEC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B44B0	15_2_00007FF7C19B44B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B8EF0	15_2_00007FF7C19B8EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B4671	15_2_00007FF7C19B4671
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B8DB8	15_2_00007FF7C19B8DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19C4D25	15_2_00007FF7C19C4D25
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BBD30	15_2_00007FF7C19BBD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B2528	15_2_00007FF7C19B2528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BC111	15_2_00007FF7C19BC111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19C4DB4	15_2_00007FF7C19C4DB4
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C1A90D71	15_2_00007FF7C1A90D71
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1988EF0	17_2_00007FF7C1988EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1984671	17_2_00007FF7C1984671
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1988DB8	17_2_00007FF7C1988DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198BD30	17_2_00007FF7C198BD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1982528	17_2_00007FF7C1982528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198EC99	17_2_00007FF7C198EC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C19844B0	17_2_00007FF7C19844B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198C111	17_2_00007FF7C198C111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C19874F0	17_2_00007FF7C19874F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1A60D71	17_2_00007FF7C1A60D71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011EB070	26_2_011EB070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011EB4C8	26_2_011EB4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011E4AD8	26_2_011E4AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011EEF00	26_2_011EEF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011E3EC0	26_2_011E3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011E4208	26_2_011E4208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_0649C480	26_2_0649C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_0649ABF8	26_2_0649ABF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B65E8	26_2_064B65E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B55A8	26_2_064B55A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064BB228	26_2_064BB228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B2360	26_2_064B2360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064BC170	26_2_064BC170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B7D78	26_2_064B7D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B7698	26_2_064B7698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064BE398	26_2_064BE398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B0040	26_2_064B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B5CF0	26_2_064B5CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_069A34D0	26_2_069A34D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B0006	26_2_064B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CCB190	31_2_00CCB190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CCA908	31_2_00CCA908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CC4AD8	31_2_00CC4AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CC3EC0	31_2_00CC3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CCEFE8	31_2_00CCEFE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CC4208	31_2_00CC4208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06287D78	31_2_06287D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_062855A8	31_2_062855A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_062865E8	31_2_062865E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628B228	31_2_0628B228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06282360	31_2_06282360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628C170	31_2_0628C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06287698	31_2_06287698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06285CF0	31_2_06285CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628E398	31_2_0628E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06280040	31_2_06280040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628003B	31_2_0628003B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A4671	38_2_00007FF7C19A4671
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A8DB8	38_2_00007FF7C19A8DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19ABD30	38_2_00007FF7C19ABD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A2528	38_2_00007FF7C19A2528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19AEC99	38_2_00007FF7C19AEC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A44B0	38_2_00007FF7C19A44B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19AC111	38_2_00007FF7C19AC111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A8EF0	38_2_00007FF7C19A8EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C1A80D71	38_2_00007FF7C1A80D71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012BB4B8	43_2_012BB4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012B4AD8	43_2_012B4AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012BEF00	43_2_012BEF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012B3EC0	43_2_012B3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012B4208	43_2_012B4208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06697D78	43_2_06697D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_066965E8	43_2_066965E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_066955A8	43_2_066955A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669B217	43_2_0669B217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06693068	43_2_06693068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669C170	43_2_0669C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06697698	43_2_06697698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06695CDF	43_2_06695CDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06692353	43_2_06692353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669E398	43_2_0669E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06690040	43_2_06690040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669003F	43_2_0669003F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06690006	43_2_06690006
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191EC99	52_2_00007FF7C191EC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19144B0	52_2_00007FF7C19144B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19174F0	52_2_00007FF7C19174F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1918DB8	52_2_00007FF7C1918DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1918DC0	52_2_00007FF7C1918DC0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1914600	52_2_00007FF7C1914600
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1924D25	52_2_00007FF7C1924D25
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1912528	52_2_00007FF7C1912528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191BD30	52_2_00007FF7C191BD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191C111	52_2_00007FF7C191C111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19259C9	52_2_00007FF7C19259C9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C192597D	52_2_00007FF7C192597D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19194D8	52_2_00007FF7C19194D8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1918EF0	52_2_00007FF7C1918EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1924DB4	52_2_00007FF7C1924DB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0144B4C8	56_2_0144B4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_01444AD8	56_2_01444AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0144EF00	56_2_0144EF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_01443EC0	56_2_01443EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_01444208	56_2_01444208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622C480	56_2_0622C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622AF14	56_2_0622AF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622E290	56_2_0622E290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622AF08	56_2_0622AF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622ABF8	56_2_0622ABF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06247D78	56_2_06247D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_062455A8	56_2_062455A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_062465E8	56_2_062465E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0624B228	56_2_0624B228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06242360	56_2_06242360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0624C170	56_2_0624C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06247698	56_2_06247698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06245CF0	56_2_06245CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0624E398	56_2_0624E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06240040	56_2_06240040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06240006	56_2_06240006

One or more processes crash

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072

PE file does not import any functions

Source: Quotation Order.exe	Static PE information: No import functions for PE file found
Source: svchost.exe.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Quotation Order.exe, 00000000.00000000.1254895494.00000259E990E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAluderopolikodiquxeko2 vs Quotation Order.exe
Source: Quotation Order.exe	Binary or memory string: OriginalFilenameAluderopolikodiquxeko2 vs Quotation Order.exe

Yara signature match

Source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Quotation Order.exe, -----.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: svchost.exe.0.dr, -----.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@85/46@2/2

Source: C:\Users\user\Desktop\Quotation Order.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8164
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7412
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03

Source: C:\Users\user\Desktop\Quotation Order.exe

File created: C:\Users\user\AppData\Local\Temp\tmp25B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Order.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""

Source: Quotation Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation Order.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation Order.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Order.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation Order.exe	ReversingLabs: Detection: 31%
Source: Quotation Order.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Quotation Order.exe

File read: C:\Users\user\Desktop\Quotation Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation Order.exe "C:\Users\user\Desktop\Quotation Order.exe"
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
Source: unknown	Process created: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe "C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe"
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsusererclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll

Source: C:\Users\user\Desktop\Quotation Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quotation Order.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: Quotation Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation Order.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quotation Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Core.pdbmscorlib.dllSystem.dll@ source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: AddInProcess32.pdbpw source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.pdb source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: mscorlib.pdb` source: WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini\??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2499.tmp.dmp.32.dr
Source:	Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: fic.pdbn source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb` source: WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbCon source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb#( source: WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbmeerCo source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb@ source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbpHj! source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: mscorlib.pdb" source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: AddInProcess32.pdb source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: mscorlib.pdb source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp, WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)\??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: caspol.pdb source: avdfUcC.exe.31.dr
Source:	Binary string: System.Core.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr

Binary contains a suspicious time stamp

Source: Quotation Order.exe

Static PE information: 0xB06BE3BE [Wed Oct 17 15:31:10 2063 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CD1BD push ecx; iretd	0_2_00007FF7C19CD35C
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C5165 push FFFFFF92h; ret	0_2_00007FF7C19C5176
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C1AA0002 push esp; retf 4810h	0_2_00007FF7C1AA0312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BD1BD push ecx; iretd	15_2_00007FF7C19BD35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B5165 push FFFFFF92h; ret	15_2_00007FF7C19B5176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C1A9026B push esp; retf 4810h	15_2_00007FF7C1A90312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198D1BD push ecx; iretd	17_2_00007FF7C198D35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1985165 push FFFFFF92h; ret	17_2_00007FF7C1985176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1A6026B push esp; retf 4810h	17_2_00007FF7C1A60312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_06495BE0 push es; ret	26_2_06495BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_069A11B0 push es; ret	26_2_069A11C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19AD1BD push ecx; iretd	38_2_00007FF7C19AD35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A5165 push FFFFFF92h; ret	38_2_00007FF7C19A5176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C1A8026B push esp; retf 4810h	38_2_00007FF7C1A80312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191D1BD push ecx; iretd	52_2_00007FF7C191D35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1915165 push FFFFFF92h; ret	52_2_00007FF7C1915176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19F026B push esp; retf 4810h	52_2_00007FF7C19F0312

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Quotation Order.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\Quotation Order.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\Quotation Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Source: C:\Users\user\Desktop\Quotation Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Quotation Order.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6284, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation Order.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEP

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Quotation Order.exe	Memory allocated: 259E9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Memory allocated: 259EB650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 153BEAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 153D85A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1FC8F1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1FCA71B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 11E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4BA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 27E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 26BB4BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 26BCCBC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Memory allocated: 1670000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Memory allocated: 31A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2DFB7D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2DFD17A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 1440000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 3250000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2D10000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Quotation Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6803	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2751	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8597
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 4527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 936
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2139
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4722
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 2134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 2482

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Quotation Order.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7940	Thread sleep count: 1269 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7940	Thread sleep count: 2907 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99651s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -98916s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96602s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96326s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96157s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95767s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95418s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4656	Thread sleep count: 4527 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98997s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98651s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98438s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4656	Thread sleep count: 936 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98317s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97405s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97296s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97076s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4232	Thread sleep count: 2388 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99868s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99730s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4232	Thread sleep count: 2139 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99244s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99137s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98782s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97813s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe TID: 4200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2956	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6368	Thread sleep count: 2134 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99884s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6368	Thread sleep count: 2482 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99553s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98335s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97076
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.35.dr	Binary or memory string: VMware
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMUP
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.35.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000024.00000002.2516165987.000002B804ED4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000005.00000002.2514862826.00000202B728E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.35.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.35.dr	Binary or memory string: vmci.sys
Source: svchost.exe, 00000005.00000002.2513844364.00000202B724E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: CasPol.exe, 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREHS
Source: Amcache.hve.35.dr	Binary or memory string: VMware20,1
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
Source: Amcache.hve.35.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.35.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.35.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.35.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.35.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.35.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.35.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.35.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.35.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREP
Source: svchost.exe, 00000024.00000002.2514904148.000002B804E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~
Source: svchost.exe, 00000005.00000002.2513550566.00000202B722B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: Amcache.hve.35.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.35.dr	Binary or memory string: VMware Virtual USB Mouse
Source: svchost.exe, 00000005.00000002.2514331338.00000202B7264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareP
Source: Amcache.hve.35.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.35.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000005.00000002.2514513323.00000202B7281000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.35.dr	Binary or memory string: VMware20,1hbin@
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
Source: Amcache.hve.35.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.35.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.35.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.35.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.35.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIP
Source: CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
Source: svchost.exe, 00000011.00000002.1472279913.000001FCA7B72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.35.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.35.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: svchost.exe, 00000005.00000002.2513550566.00000202B722B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.35.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000024.00000003.1399478264.000002B805C44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Amcache.hve.35.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: svchost.exe, 00000005.00000002.2512648304.00000202B7202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.35.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: svchost.exe, 00000005.00000002.2513844364.00000202B724E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Quotation Order.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 26_2_011E70C8 CheckRemoteDebuggerPresent,

26_2_011E70C8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\Quotation Order.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Quotation Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Quotation Order.exe, -----.cs	Reference to suspicious API methods: ((_065E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0605_FDE4_FDEC_065C_FDE8_060A_06E8_FDE0)), _FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0616_0619)), typeof(_065E)))("vpGUntmDH2Bs", out var _)
Source: Quotation Order.exe, -----.cs	Reference to suspicious API methods: ((_065E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0605_FDE4_FDEC_065C_FDE8_060A_06E8_FDE0)), _FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0616_0619)), typeof(_065E)))("vpGUntmDH2Bs", out var _)
Source: Quotation Order.exe, -----.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var _FBC8_061A_FBCA_06E2)
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, uRcQkDeJoO4.cs	Reference to suspicious API methods: zHSk.OpenProcess(C6Nh1Wz8.DuplicateHandle, bInheritHandle: true, (uint)_4aIajlwkXEt2.ProcessID)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AA4008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 820008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: CDE008
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: C83008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Quotation Order.exe	Queries volume information: C:\Users\user\Desktop\Quotation Order.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Queries volume information: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Quotation Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Disables UAC (registry)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.35.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.35.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.35.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000007.00000002.2515010756.000001E49BD02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2515010756.000001E49BD02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.35.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe

WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
192.254.225.166	mail.bonnyriggdentalsurgery.com.au	United States		46606	UNIFIEDLAYER-AS-1US	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
mail.bonnyriggdentalsurgery.com.au	192.254.225.166	true
ip-api.com	208.95.112.1	true

AV Detection

Found malware configuration

Source: 26.2.AddInProcess32.exe.400000.0.unpack

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: Quotation Order.exe	ReversingLabs: Detection: 31%
Source: Quotation Order.exe	Virustotal: Detection: 28%			Perma Link

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation Order.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6284, type: MEMORYSTR

Source: Quotation Order.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.pdbmscorlib.dllSystem.dll@ source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: AddInProcess32.pdbpw source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.pdb source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: mscorlib.pdb` source: WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini\??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2499.tmp.dmp.32.dr
Source:	Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: fic.pdbn source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb` source: WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbCon source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb#( source: WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbmeerCo source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb@ source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbpHj! source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: mscorlib.pdb" source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: AddInProcess32.pdb source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: mscorlib.pdb source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp, WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)\??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: caspol.pdb source: avdfUcC.exe.31.dr
Source:	Binary string: System.Core.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 192.254.225.166 192.254.225.166

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.bonnyriggdentalsurgery.com.au

Source: svchost.exe, 00000024.00000003.1426512052.000002B805E10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000024.00000003.1390016964.000002B804EE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519109221.000002B805CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbpose
Source: svchost.exe, 00000024.00000002.2518170013.000002B805C13000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.36.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425819438.000002B804E72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01
Source: svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesA
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesEncr
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdonMe
Source: svchost.exe, 00000024.00000003.1425060202.000002B805783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-sod
Source: svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd.
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0nw
Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000024.00000003.1389377028.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1399093323.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpServ
Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 00000024.00000002.2519461243.000002B805CF0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426345130.000002B805C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518233779.000002B805C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519335064.000002B805CD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1402825732.000002B80570F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.bonnyriggdentalsurgery.com.au
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0T
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scon
Source: svchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scrf
Source: svchost.exe, 00000024.00000003.1434799034.000002B805766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scs-cbc
Source: svchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scyc=
Source: svchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518883672.000002B805C9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1
Source: svchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustnce
Source: Quotation Order.exe, 00000000.00000002.1287260691.000002598039A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000008.00000002.2513040274.0000029957118000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2511975756.0000029956887000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: Amcache.hve.35.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000003.00000002.1365924349.00000215E6C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co4
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359102832.000002B805757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwamvice
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1362941126.00000215E6C74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364259093.00000215E6C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366086819.00000215E6C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1362821532.00000215E6C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000024.00000002.2516513363.000002B804F13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519109221.000002B805CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000024.00000002.2518170013.000002B805C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfe.com
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000024.00000003.1390016964.000002B804EE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515392408.000002B804E81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518233779.000002B805C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$V
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srfo.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfIssuerP
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srftificates
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359102832.000002B805757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000024.00000003.1358375444.000002B80575A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000024.00000002.2519246321.000002B805CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf3
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000024.00000002.2518633439.000002B805C7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515629844.000002B804E9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000024.00000002.2516513363.000002B804F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comwwCP=
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfi
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf(
Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf7
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1363948684.00000215E6C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, 8WWn.cs	.Net Code: lkBm6YL8X
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, 8WWn.cs	.Net Code: lkBm6YL8X

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation Order.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CEC99	0_2_00007FF7C19CEC99
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C8DB8	0_2_00007FF7C19C8DB8
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C4600	0_2_00007FF7C19C4600
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19D4D25	0_2_00007FF7C19D4D25
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CBD30	0_2_00007FF7C19CBD30
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C2528	0_2_00007FF7C19C2528
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CC111	0_2_00007FF7C19CC111
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C44B0	0_2_00007FF7C19C44B0
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C8EF0	0_2_00007FF7C19C8EF0
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19D4DB4	0_2_00007FF7C19D4DB4
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BEC99	15_2_00007FF7C19BEC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B44B0	15_2_00007FF7C19B44B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B8EF0	15_2_00007FF7C19B8EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B4671	15_2_00007FF7C19B4671
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B8DB8	15_2_00007FF7C19B8DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19C4D25	15_2_00007FF7C19C4D25
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BBD30	15_2_00007FF7C19BBD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B2528	15_2_00007FF7C19B2528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BC111	15_2_00007FF7C19BC111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19C4DB4	15_2_00007FF7C19C4DB4
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C1A90D71	15_2_00007FF7C1A90D71
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1988EF0	17_2_00007FF7C1988EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1984671	17_2_00007FF7C1984671
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1988DB8	17_2_00007FF7C1988DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198BD30	17_2_00007FF7C198BD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1982528	17_2_00007FF7C1982528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198EC99	17_2_00007FF7C198EC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C19844B0	17_2_00007FF7C19844B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198C111	17_2_00007FF7C198C111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C19874F0	17_2_00007FF7C19874F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1A60D71	17_2_00007FF7C1A60D71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011EB070	26_2_011EB070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011EB4C8	26_2_011EB4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011E4AD8	26_2_011E4AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011EEF00	26_2_011EEF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011E3EC0	26_2_011E3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_011E4208	26_2_011E4208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_0649C480	26_2_0649C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_0649ABF8	26_2_0649ABF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B65E8	26_2_064B65E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B55A8	26_2_064B55A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064BB228	26_2_064BB228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B2360	26_2_064B2360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064BC170	26_2_064BC170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B7D78	26_2_064B7D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B7698	26_2_064B7698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064BE398	26_2_064BE398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B0040	26_2_064B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B5CF0	26_2_064B5CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_069A34D0	26_2_069A34D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_064B0006	26_2_064B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CCB190	31_2_00CCB190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CCA908	31_2_00CCA908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CC4AD8	31_2_00CC4AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CC3EC0	31_2_00CC3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CCEFE8	31_2_00CCEFE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00CC4208	31_2_00CC4208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06287D78	31_2_06287D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_062855A8	31_2_062855A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_062865E8	31_2_062865E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628B228	31_2_0628B228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06282360	31_2_06282360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628C170	31_2_0628C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06287698	31_2_06287698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06285CF0	31_2_06285CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628E398	31_2_0628E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_06280040	31_2_06280040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0628003B	31_2_0628003B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A4671	38_2_00007FF7C19A4671
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A8DB8	38_2_00007FF7C19A8DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19ABD30	38_2_00007FF7C19ABD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A2528	38_2_00007FF7C19A2528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19AEC99	38_2_00007FF7C19AEC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A44B0	38_2_00007FF7C19A44B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19AC111	38_2_00007FF7C19AC111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A8EF0	38_2_00007FF7C19A8EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C1A80D71	38_2_00007FF7C1A80D71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012BB4B8	43_2_012BB4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012B4AD8	43_2_012B4AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012BEF00	43_2_012BEF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012B3EC0	43_2_012B3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_012B4208	43_2_012B4208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06697D78	43_2_06697D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_066965E8	43_2_066965E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_066955A8	43_2_066955A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669B217	43_2_0669B217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06693068	43_2_06693068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669C170	43_2_0669C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06697698	43_2_06697698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06695CDF	43_2_06695CDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06692353	43_2_06692353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669E398	43_2_0669E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06690040	43_2_06690040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_0669003F	43_2_0669003F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 43_2_06690006	43_2_06690006
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191EC99	52_2_00007FF7C191EC99
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19144B0	52_2_00007FF7C19144B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19174F0	52_2_00007FF7C19174F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1918DB8	52_2_00007FF7C1918DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1918DC0	52_2_00007FF7C1918DC0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1914600	52_2_00007FF7C1914600
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1924D25	52_2_00007FF7C1924D25
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1912528	52_2_00007FF7C1912528
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191BD30	52_2_00007FF7C191BD30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191C111	52_2_00007FF7C191C111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19259C9	52_2_00007FF7C19259C9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C192597D	52_2_00007FF7C192597D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19194D8	52_2_00007FF7C19194D8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1918EF0	52_2_00007FF7C1918EF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1924DB4	52_2_00007FF7C1924DB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0144B4C8	56_2_0144B4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_01444AD8	56_2_01444AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0144EF00	56_2_0144EF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_01443EC0	56_2_01443EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_01444208	56_2_01444208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622C480	56_2_0622C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622AF14	56_2_0622AF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622E290	56_2_0622E290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622AF08	56_2_0622AF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0622ABF8	56_2_0622ABF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06247D78	56_2_06247D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_062455A8	56_2_062455A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_062465E8	56_2_062465E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0624B228	56_2_0624B228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06242360	56_2_06242360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0624C170	56_2_0624C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06247698	56_2_06247698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06245CF0	56_2_06245CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_0624E398	56_2_0624E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06240040	56_2_06240040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 56_2_06240006	56_2_06240006

One or more processes crash

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072

PE file does not import any functions

Source: Quotation Order.exe	Static PE information: No import functions for PE file found
Source: svchost.exe.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Quotation Order.exe, 00000000.00000000.1254895494.00000259E990E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAluderopolikodiquxeko2 vs Quotation Order.exe
Source: Quotation Order.exe	Binary or memory string: OriginalFilenameAluderopolikodiquxeko2 vs Quotation Order.exe

Yara signature match

Source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Quotation Order.exe, -----.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: svchost.exe.0.dr, -----.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@85/46@2/2

Source: C:\Users\user\Desktop\Quotation Order.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8164
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7412
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03

Source: C:\Users\user\Desktop\Quotation Order.exe

File created: C:\Users\user\AppData\Local\Temp\tmp25B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Order.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""

Source: Quotation Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation Order.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation Order.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Order.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation Order.exe	ReversingLabs: Detection: 31%
Source: Quotation Order.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Quotation Order.exe

File read: C:\Users\user\Desktop\Quotation Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation Order.exe "C:\Users\user\Desktop\Quotation Order.exe"
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
Source: unknown	Process created: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe "C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe"
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsusererclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll

Source: C:\Users\user\Desktop\Quotation Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quotation Order.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: Quotation Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation Order.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quotation Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Core.pdbmscorlib.dllSystem.dll@ source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: AddInProcess32.pdbpw source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.pdb source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: mscorlib.pdb` source: WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini\??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2499.tmp.dmp.32.dr
Source:	Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: fic.pdbn source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb` source: WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbCon source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb#( source: WER2499.tmp.dmp.32.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbmeerCo source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb@ source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdbpHj! source: WER46C7.tmp.dmp.46.dr
Source:	Binary string: System.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: mscorlib.pdb" source: WER1C4C.tmp.dmp.35.dr
Source:	Binary string: AddInProcess32.pdb source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: mscorlib.pdb source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp, WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)\??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Drawing.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Management.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: caspol.pdb source: avdfUcC.exe.31.dr
Source:	Binary string: System.Core.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr

Binary contains a suspicious time stamp

Source: Quotation Order.exe

Static PE information: 0xB06BE3BE [Wed Oct 17 15:31:10 2063 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19CD1BD push ecx; iretd	0_2_00007FF7C19CD35C
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C19C5165 push FFFFFF92h; ret	0_2_00007FF7C19C5176
Source: C:\Users\user\Desktop\Quotation Order.exe	Code function: 0_2_00007FF7C1AA0002 push esp; retf 4810h	0_2_00007FF7C1AA0312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19BD1BD push ecx; iretd	15_2_00007FF7C19BD35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C19B5165 push FFFFFF92h; ret	15_2_00007FF7C19B5176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 15_2_00007FF7C1A9026B push esp; retf 4810h	15_2_00007FF7C1A90312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C198D1BD push ecx; iretd	17_2_00007FF7C198D35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1985165 push FFFFFF92h; ret	17_2_00007FF7C1985176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 17_2_00007FF7C1A6026B push esp; retf 4810h	17_2_00007FF7C1A60312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_06495BE0 push es; ret	26_2_06495BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 26_2_069A11B0 push es; ret	26_2_069A11C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19AD1BD push ecx; iretd	38_2_00007FF7C19AD35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C19A5165 push FFFFFF92h; ret	38_2_00007FF7C19A5176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 38_2_00007FF7C1A8026B push esp; retf 4810h	38_2_00007FF7C1A80312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C191D1BD push ecx; iretd	52_2_00007FF7C191D35C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C1915165 push FFFFFF92h; ret	52_2_00007FF7C1915176
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 52_2_00007FF7C19F026B push esp; retf 4810h	52_2_00007FF7C19F0312

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Quotation Order.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\Quotation Order.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\Quotation Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Source: C:\Users\user\Desktop\Quotation Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Quotation Order.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6284, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation Order.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEP

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Quotation Order.exe	Memory allocated: 259E9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Memory allocated: 259EB650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 153BEAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 153D85A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1FC8F1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1FCA71B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 11E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4BA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 27E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 26BB4BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 26BCCBC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Memory allocated: 1670000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Memory allocated: 31A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2DFB7D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2DFD17A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 1440000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 3250000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2D10000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Quotation Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6803	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2751	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8597
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 4527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 936
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2139
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4722
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 2134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 2482

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Quotation Order.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7940	Thread sleep count: 1269 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7940	Thread sleep count: 2907 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99651s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -99031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -98916s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96602s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96326s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96157s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -96000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95767s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95418s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020	Thread sleep time: -95188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4656	Thread sleep count: 4527 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -99123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98997s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98651s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98438s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4656	Thread sleep count: 936 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98317s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -98078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97405s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97296s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888	Thread sleep time: -97076s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4232	Thread sleep count: 2388 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99868s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99730s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4232	Thread sleep count: 2139 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99244s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99137s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -99017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98782s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -98047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97813s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -97329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe TID: 4200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2956	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6368	Thread sleep count: 2134 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99884s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6368	Thread sleep count: 2482 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99553s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -99063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98335s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -98110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -97360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97076
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 99063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 98110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 97360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.35.dr	Binary or memory string: VMware
Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMUP
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.35.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000024.00000002.2516165987.000002B804ED4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000005.00000002.2514862826.00000202B728E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.35.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.35.dr	Binary or memory string: vmci.sys
Source: svchost.exe, 00000005.00000002.2513844364.00000202B724E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: CasPol.exe, 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREHS
Source: Amcache.hve.35.dr	Binary or memory string: VMware20,1
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
Source: Amcache.hve.35.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.35.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.35.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.35.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.35.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.35.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.35.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.35.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.35.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREP
Source: svchost.exe, 00000024.00000002.2514904148.000002B804E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~
Source: svchost.exe, 00000005.00000002.2513550566.00000202B722B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: Amcache.hve.35.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.35.dr	Binary or memory string: VMware Virtual USB Mouse
Source: svchost.exe, 00000005.00000002.2514331338.00000202B7264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareP
Source: Amcache.hve.35.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.35.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000005.00000002.2514513323.00000202B7281000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.35.dr	Binary or memory string: VMware20,1hbin@
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
Source: Amcache.hve.35.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.35.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.35.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.35.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.35.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIP
Source: CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
Source: svchost.exe, 00000011.00000002.1472279913.000001FCA7B72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.35.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.35.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: svchost.exe, 00000005.00000002.2513550566.00000202B722B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.35.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000024.00000003.1399478264.000002B805C44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Amcache.hve.35.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: svchost.exe, 00000005.00000002.2512648304.00000202B7202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.35.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: svchost.exe, 00000005.00000002.2513844364.00000202B724E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Quotation Order.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 26_2_011E70C8 CheckRemoteDebuggerPresent,

26_2_011E70C8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\Quotation Order.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Quotation Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Quotation Order.exe, -----.cs	Reference to suspicious API methods: ((_065E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0605_FDE4_FDEC_065C_FDE8_060A_06E8_FDE0)), _FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0616_0619)), typeof(_065E)))("vpGUntmDH2Bs", out var _)
Source: Quotation Order.exe, -----.cs	Reference to suspicious API methods: ((_065E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0605_FDE4_FDEC_065C_FDE8_060A_06E8_FDE0)), _FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0616_0619)), typeof(_065E)))("vpGUntmDH2Bs", out var _)
Source: Quotation Order.exe, -----.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var _FBC8_061A_FBCA_06E2)
Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, uRcQkDeJoO4.cs	Reference to suspicious API methods: zHSk.OpenProcess(C6Nh1Wz8.DuplicateHandle, bInheritHandle: true, (uint)_4aIajlwkXEt2.ProcessID)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AA4008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 820008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: CDE008
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: C83008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Order.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Quotation Order.exe	Queries volume information: C:\Users\user\Desktop\Quotation Order.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Queries volume information: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Quotation Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Disables UAC (registry)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.35.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.35.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.35.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000007.00000002.2515010756.000001E49BD02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2515010756.000001E49BD02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.35.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

Windows Analysis Report
Quotation Order.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

ID:	1432027
Product:	CloudBasic
Start time:	10:06:10
Start date:	26.04.2024
Sample:	Quotation Order.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d797aae1eaf481e9c887482192b84109
SHA1:	acf58b4eb3f0ffda9a2cd91def583422a11ed873
SHA256:	cbda8606094d0493370b0f219edaba9be92444967aa9259d3e9323314dca2daa
Filetype:	Win64 Executable Console Net Framework (206006/5) 48.58%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_76a9d338fc2653c368464a4d765b94caa6b9ced8_7a704da5_1f0ca237-1886-4498-bbc5-de8ac235b01d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	B596EE72B07FD660A3ED773117968118	C77954C40251C40455DC2AA57646E8C69CBF397A	01DE17DD87995221B95D6CCD423ACA9B7F155B1150789D698B0C3FE3619EBB00
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_76a9d338fc2653c368464a4d765b94caa6b9ced8_7a704da5_7bb7ece0-a6f4-4113-871b-eeda8472d570\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	54DD9DAB108C810C1F2696463317E82F	5E5FB349202833AF011BC20C634462923549B387	602966970A47F798A27EA027403F6BCE4781E97020402A2CFDC79DEB0697C0F2
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_8759a9a7a5b67d21607ecf0de7fb110cabea5_7a704da5_2186ad98-d59d-482b-85ae-e0d7f33b51cf\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5E512E8BD0A88D1B28DF65ACB2690FA8	5868AD784DEEE6F56391E3F2BA4F268F7AF402D8	2D94E824FC4FDEE15671B3EA032BB3A07721FE1A3F7096BC7E904BD4A9C0958E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C4C.tmp.dmp	Mini DuMP crash report, 16 streams, Fri Apr 26 08:07:10 2024, 0x1205a4 type	32CC107C2CCCE5462C5C19A512A65C33	CA6DE203C6759BDC6D5F3C54AB29137D93BA137B	F2ACE67D591B4D9B6A51D841F18D05FA0CF4809A3994E18A7DBA429CC43EE5F2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EBE.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CEECD59DB74EC0A593A70055816482D2	393EC10947135A28361028D36C887D427B5213B8	0423EEBC7C90E3A7D6B9915935F5115538CD2D9D53782B5C34D4A3F6D6C47DF8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EEE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2AE23111F5B485F4715C2E4451D0330C	5764C76578D0DFD8BB77CDC7C8A2350FA539F33C	83C59215275E9CE7B4307A965D36AF1D8DFAED8D00018BD6CC7F0BB835BB2586
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EFB.tmp.csv	data	443BDAD2B3C57B4E2E1B9DC7AD755FED	3F7B70EAECFA7F50F5A48D68F4F7CF84E127DA7B	73648263E36BC3E361FA707582537AE1214A2288F6C40E82DC85082B5E671F58
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FF6.tmp.txt	data	4DCFACB88831D317D15C9E639D874330	BB0B7DB08EE80F08A28C1C92D17792E4F8AF9347	E8610DB722B19F8F85E025471FBFDBFD6D438C0199391E6728E864DCC5BA81BF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2499.tmp.dmp	Mini DuMP crash report, 16 streams, Fri Apr 26 08:07:12 2024, 0x1205a4 type	A4E8A93A2842B0BDC1EB8C52B1E896D2	FB441967A4939ADAC8C72AC7C43338EFA85AD837	AE593652EF89B2AFEC1FCB0AC0431CDB52825445C6495C9E2150751A6B2E1FAA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2814.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C16F6834257C3D556F26A4F16F8AA487	5E5440DE4444AA9F283222CFC705473A8B25CF62	6E48F98A94B29039FDF0B95D63C85E6D8F910CF405EB4B03AC6132C2BFABAB03
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2892.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	169EBE4780260521484B9BD0A000315B	932C700152097F0AE8B06981A39C859E21F0A294	A3D298D432224F513BF9D8A1DEA316FEAF11F4510A598F537B5C9C45E0BEC78F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER28D1.tmp.csv	data	FA39B3D37C830F2A40AD29C02083F9D5	CAFC78768FE9BF54994CB63E44BD3D575EE91C36	7D4E0301AE8572B0395E44E83D3E473D8B7371E7A3AE10172ED323A31C54F81B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER294F.tmp.txt	data	2723D9AD4B738071EE4CB6505B6DC43D	9DA9D44CC5A1B23048E1005F23E063D2049DD460	40D356CF449B351CA12EDE5379A5206B7CBB9EB13AA476033A60309ADFADA74E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER46C7.tmp.dmp	Mini DuMP crash report, 16 streams, Fri Apr 26 08:07:21 2024, 0x1205a4 type	AF0D7662CDCD84AA1A3FBDE38A0B4468	84A959DEFB79D8750DB18F7E8F7B220DA0921F0D	87A6E256E73F682A79206C8E8767FBD474572F36CF06FF3C542C138512560431
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48EB.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	13943C5B66A67AE7D6A121769526F507	9B2EB3CDF8A0C459D26B74B45DF754BA45B4DCFE	6B1ABD419490721130776410E47B8001A97BA862FF167F7C4EF7EEB45596B7ED
C:\ProgramData\Microsoft\Windows\WER\Temp\WER491B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A40D62CEF498685E998174B235A562A7	6D065A06363A625EFCF9E0883BFA8A52070EEEBB	BBAFF30FD80EA699B6E487EC45E91E8C032C96610776A2672836CD75659C9026
C:\ProgramData\Microsoft\Windows\WER\Temp\WER493C.tmp.csv	data	FF492D46E8F555BD66E1ECF92134F46E	D5309BA151A48978505B089959BB813FB4698ACF	9D54EA09B6E4A8F8FF897DB374DF2E0580AD30871D9887EEC3144D7D84689765
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A18.tmp.txt	data	CA8AB2D0C4ED3F4349C77AB892793F54	976A1635D5E49F0CFECFF84FB8CFF9BE0065E390	A98919178A110DC5577B10E11BF3BA58B5846D362FB7A05BC6A5FB3E0572A2D0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8973.tmp.csv	data	BE15FCB97D4D51EC1E07E629974C4CAC	812D56678611702B810B6D3518CCD00C257B81F2	70EBEC4B3F084C716C79413B1BB71E3D70236257C5D24B9D6DA9ECFE794591FA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A4F.tmp.txt	data	B6F08644FF3ED85F4DC07C81E158C8D6	35C5E273DB69E584950E7A56CD6401BA1D966724	2D57C1B09267B6223F204C4EB187A2DD7D9E8AAA35EC8B5530B9964C99ED7445
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	24567B9212F806F6E3E27CDEB07728C0	371AE77042FFF52327BF4B929495D5603404107D	82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Quotation Order.exe.log	CSV text	8184A57469229249530A85C1C7AB6B68	3EB26CA872ADFD1B7910A9E3E3C8DB250CC812F9	B22F01A3D672B90C06D5E9DEBD3141D9F82118C5EE6D1AC952CFE218E73320DD
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\avdfUcC.exe.log	ASCII text, with CRLF line terminators	41DE845B592D0C0A18195E5AAB7B2A8D	AB0656E0E0137593BE7984F44B4603407C6F7A32	ECC1BC8EFC8E479E0D7E1B4934F298B074A1D5AACAA3A73490CCCF2BFF440908
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1otcruym.y4i.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_221ruj1r.qpy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oix3zxr.1uh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3dknjde.5km.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gl0pyc0l.cl5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzvqqcgh.pow.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kyrfe4mr.2th.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjffcq45.v4n.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeu4ouzg.b0w.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpagqn43.zin.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsl051qu.xd5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wisdor4s.sz0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvk5dvvw.evp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0nndm0q.ihk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zecufptb.wv0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zn422gfw.hho.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat	DOS batch file, ASCII text, with CRLF line terminators	8B377DE6416079B56663F37C330EFB30	0642BAFD929F221D37007B6F5DDBF2F45FAE4084	A4E772CAE0181A997339A7809408959AC44C9A76D9DEA94E5A080A6EFDD49610
C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	914F728C04D3EDDD5FBA59420E74E56B	8C68CA3F013C490161C0156EF359AF03594AE5E2	7D3BDB5B7EE9685C7C18C0C3272DA2A593F6C5C326F1EA67F22AAE27C57BA1E6
C:\Users\user\AppData\Roaming\svchost.exe	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows	D797AAE1EAF481E9C887482192B84109	ACF58B4EB3F0FFDA9A2CD91DEF583422A11ED873	CBDA8606094D0493370B0F219EDABA9BE92444967AA9259D3E9323314DCA2DAA
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	206FFE53D391FCA44F60892F6CA8CA10	9BDE2FF7855CB848B7F729F8D7B850DD2CFFF282	8165D90C4E5C269F8EB1D8A6E29ED93B9E2AEB0F07970ED6659BFBE699A9D62E
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	EEEE7F754DCBE040A43673AC871B6955	BF35B3FE20F29C1842F6ED446EDC149C0D60840F	02F861CA952FE707EF4B1F246FFDED368F130EFBDEE36B4CCD4BD7E9E9A76EE0
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	3DD7DD37C304E70A7316FE43B69F421F	A3754CFC33E9CA729444A95E95BCB53384CB51E4	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA

Windows Analysis Report Quotation Order.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
Quotation Order.exe

Malware Threat Intel
Provided by