Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quote RFQ #00926720250204.pdf(39kb).com.exe

Overview

General Information

Sample name:Quote RFQ #00926720250204.pdf(39kb).com.exe
Analysis ID:1612340
MD5:07a4d2a1981e4159e744e3f0bb8d655f
SHA1:fe47d1646972e85667408a28d8db2f2c17b7a313
SHA256:ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9
Tags:comexeuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quote RFQ #00926720250204.pdf(39kb).com.exe (PID: 3236 cmdline: "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
    • Quote RFQ #00926720250204.pdf(39kb).com.exe (PID: 4928 cmdline: "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
      • schtasks.exe (PID: 1128 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Excelworkbook.exe (PID: 424 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
        • Excelworkbook.exe (PID: 1352 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
        • Excelworkbook.exe (PID: 7172 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
          • schtasks.exe (PID: 7228 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Excelworkbook.exe (PID: 6872 cmdline: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
    • Excelworkbook.exe (PID: 7428 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
    • Excelworkbook.exe (PID: 7468 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
    • Excelworkbook.exe (PID: 7484 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" MD5: 07A4D2A1981E4159E744E3F0BB8D655F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Excelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-8L69aeiQec514992", "StartupKey": "pdfdocument", "Tag": "ES CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2402613620.00000000036D5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000008.00000002.2467591677.0000000002E48000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000004.00000002.2339539467.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        0000000A.00000002.4759375112.0000000003216000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000002.2319844917.0000000002C31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Excelworkbook.exe.5254228.0.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              7.2.Excelworkbook.exe.5254228.0.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
              • 0x28ef13:$x1: Quasar.Common.Messages
              • 0x29f23c:$x1: Quasar.Common.Messages
              • 0x2ab80a:$x4: Uninstalling... good bye :-(
              • 0x2acfff:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
              7.2.Excelworkbook.exe.5254228.0.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
              • 0x2aadbc:$f1: FileZilla\recentservers.xml
              • 0x2aadfc:$f2: FileZilla\sitemanager.xml
              • 0x2aae3e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
              • 0x2ab08a:$b1: Chrome\User Data\
              • 0x2ab0e0:$b1: Chrome\User Data\
              • 0x2ab3b8:$b2: Mozilla\Firefox\Profiles
              • 0x2ab4b4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
              • 0x2fd538:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
              • 0x2ab60c:$b4: Opera Software\Opera Stable\Login Data
              • 0x2ab6c6:$b5: YandexBrowser\User Data\
              • 0x2ab734:$b5: YandexBrowser\User Data\
              • 0x2ab408:$s4: logins.json
              • 0x2ab13e:$a1: username_value
              • 0x2ab15c:$a2: password_value
              • 0x2ab448:$a3: encryptedUsername
              • 0x2fd47c:$a3: encryptedUsername
              • 0x2ab46c:$a4: encryptedPassword
              • 0x2fd49a:$a4: encryptedPassword
              • 0x2fd418:$a5: httpRealm
              7.2.Excelworkbook.exe.5254228.0.raw.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
              • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
              • 0x2ab8f4:$s3: Process already elevated.
              • 0x28ec12:$s4: get_PotentiallyVulnerablePasswords
              • 0x278cce:$s5: GetKeyloggerLogsDirectory
              • 0x29e99b:$s5: GetKeyloggerLogsDirectory
              • 0x28ec35:$s6: set_PotentiallyVulnerablePasswords
              • 0x2feb66:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
              4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Click to see the 15 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe, ParentProcessId: 7172, ParentProcessName: Excelworkbook.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f, ProcessId: 7228, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe", ParentImage: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe, ParentProcessId: 4928, ParentProcessName: Quote RFQ #00926720250204.pdf(39kb).com.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f, ProcessId: 1128, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T18:28:56.267707+010020355951Domain Observed Used for C2 Detected94.156.177.1179792192.168.2.649736TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T18:28:56.267707+010020276191Domain Observed Used for C2 Detected94.156.177.1179792192.168.2.649736TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 7.2.Excelworkbook.exe.5254228.0.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Excelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-8L69aeiQec514992", "StartupKey": "pdfdocument", "Tag": "ES CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeReversingLabs: Detection: 62%
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeVirustotal: Detection: 61%Perma Link
                Multi AV Scanner detection for submitted file
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeReversingLabs: Detection: 62%
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeVirustotal: Detection: 61%Perma Link
                Yara detected Quasar RAT
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2402613620.00000000036D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2467591677.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4759375112.0000000003216000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2319844917.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 3236, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 424, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 6872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 7172, type: MEMORYSTR
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: 1.4.1
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: SubDir
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: Excelworkbook.exe
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: 025351e291-5d1041-4fa37-932c7-8L69aeiQec514992
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: pdfdocument
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: ES CODE
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: Logs
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=
                Source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpString decryptor: MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49737 version: TLS 1.2
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 94.156.177.117:9792 -> 192.168.2.6:49736
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 94.156.177.117:9792 -> 192.168.2.6:49736
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: twart.myfirewall.org
                Source: global trafficTCP traffic: 192.168.2.6:49736 -> 94.156.177.117:9792
                Source: Joe Sandbox ViewIP Address: 94.156.177.117 94.156.177.117
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: twart.myfirewall.org
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: Excelworkbook.exe, 0000000A.00000002.4755845584.0000000001552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: Excelworkbook.exe, 0000000A.00000002.4777618860.0000000005810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: Excelworkbook.exe, 0000000A.00000002.4759375112.00000000031CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: Excelworkbook.exe, 0000000A.00000002.4759375112.00000000031CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                Source: Excelworkbook.exe, 0000000A.00000002.4759375112.0000000003216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: Excelworkbook.exe, 0000000A.00000002.4759375112.0000000003216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2368817140.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 0000000A.00000002.4759375112.0000000002FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: Excelworkbook.exe, 0000000A.00000002.4759375112.00000000031B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 0000000A.00000002.4759375112.00000000031B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 0000000A.00000002.4759375112.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, Excelworkbook.exe, 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49737 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeJump to behavior

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2402613620.00000000036D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2467591677.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4759375112.0000000003216000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2319844917.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 3236, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 424, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 6872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 7172, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: initial sampleStatic PE information: Filename: Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0106DFC40_2_0106DFC4
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_057C87F80_2_057C87F8
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_057C88080_2_057C8808
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702BF780_2_0702BF78
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07029E480_2_07029E48
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702A6580_2_0702A658
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07021A400_2_07021A40
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702B0580_2_0702B058
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702BF250_2_0702BF25
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07028F580_2_07028F58
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702CF700_2_0702CF70
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702CF800_2_0702CF80
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07029E380_2_07029E38
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702DDC30_2_0702DDC3
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702E5E10_2_0702E5E1
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702E5F00_2_0702E5F0
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702E3530_2_0702E353
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702E3600_2_0702E360
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07021A300_2_07021A30
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702E1E00_2_0702E1E0
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702E1F00_2_0702E1F0
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072841E80_2_072841E8
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07283B080_2_07283B08
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072828700_2_07282870
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072846B80_2_072846B8
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072846B30_2_072846B3
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0728B4480_2_0728B448
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0728D3600_2_0728D360
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072841DB0_2_072841DB
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072800070_2_07280007
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072800400_2_07280040
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0728CF280_2_0728CF28
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07282FA10_2_07282FA1
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07282FB00_2_07282FB0
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0728DD100_2_0728DD10
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07282D490_2_07282D49
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07282D580_2_07282D58
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07282B080_2_07282B08
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07282AF80_2_07282AF8
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_07283AF80_2_07283AF8
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072828600_2_07282860
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0728B8800_2_0728B880
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 4_2_018CF03C4_2_018CF03C
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_01B9DFC47_2_01B9DFC4
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AABF787_2_07AABF78
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AA9E487_2_07AA9E48
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAA6587_2_07AAA658
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AA1A407_2_07AA1A40
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAB0587_2_07AAB058
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AACF807_2_07AACF80
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AABF257_2_07AABF25
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AACF707_2_07AACF70
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AA8F587_2_07AA8F58
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AA9E387_2_07AA9E38
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAE5E17_2_07AAE5E1
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAE5F07_2_07AAE5F0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AADDC27_2_07AADDC2
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAE3607_2_07AAE360
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAE3527_2_07AAE352
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AA1A307_2_07AA1A30
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAE1E07_2_07AAE1E0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AAE1F07_2_07AAE1F0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD46B87_2_07CD46B8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD41E87_2_07CD41E8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD3B087_2_07CD3B08
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD28707_2_07CD2870
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD46B27_2_07CD46B2
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CDB4487_2_07CDB448
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CDD3607_2_07CDD360
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD41DA7_2_07CD41DA
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD00407_2_07CD0040
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD00067_2_07CD0006
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD2FA17_2_07CD2FA1
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD2FB07_2_07CD2FB0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CDCF287_2_07CDCF28
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD2D497_2_07CD2D49
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD2D587_2_07CD2D58
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CDDD107_2_07CDDD10
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD2B087_2_07CD2B08
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD2AF87_2_07CD2AF8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD3AF87_2_07CD3AF8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CDB8807_2_07CDB880
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD28607_2_07CD2860
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_02CC6F928_2_02CC6F92
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_02CC8C7F8_2_02CC8C7F
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_02CCDFC48_2_02CCDFC4
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712BF788_2_0712BF78
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_07129E488_2_07129E48
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712A6688_2_0712A668
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_07121A408_2_07121A40
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712B0688_2_0712B068
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712BF258_2_0712BF25
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_07128F588_2_07128F58
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712CF708_2_0712CF70
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_07128F688_2_07128F68
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712F79F8_2_0712F79F
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712CF808_2_0712CF80
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_07129E388_2_07129E38
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712A6588_2_0712A658
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712DDD08_2_0712DDD0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712DDC38_2_0712DDC3
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712E5F08_2_0712E5F0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712E5E18_2_0712E5E1
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712E3538_2_0712E353
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712E3608_2_0712E360
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_07121A308_2_07121A30
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712E1F08_2_0712E1F0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712E1E08_2_0712E1E0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712B0588_2_0712B058
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C46B88_2_074C46B8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C41E88_2_074C41E8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C3B088_2_074C3B08
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C28708_2_074C2870
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C46B38_2_074C46B3
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074CB4488_2_074CB448
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074CD3608_2_074CD360
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C41DB8_2_074C41DB
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C00408_2_074C0040
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C001C8_2_074C001C
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074CCF288_2_074CCF28
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C2FA18_2_074C2FA1
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C2FB08_2_074C2FB0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C2D498_2_074C2D49
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C2D588_2_074C2D58
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074CDD108_2_074CDD10
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C2B088_2_074C2B08
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C6AE98_2_074C6AE9
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C2AF88_2_074C2AF8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C3AF88_2_074C3AF8
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C28608_2_074C2860
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074CB8808_2_074CB880
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 10_2_013DF03C10_2_013DF03C
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 10_2_07E7B6E010_2_07E7B6E0
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 10_2_07E77E4810_2_07E77E48
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 16_2_02F8F03C16_2_02F8F03C
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000000.2285931819.000000000081E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefFFQ.exe< vs Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2317765972.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000000.00000002.2319844917.0000000002C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2347509586.0000000001468000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllId vs Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, 00000004.00000002.2339539467.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeBinary or memory string: OriginalFilenamefFFQ.exe< vs Quote RFQ #00926720250204.pdf(39kb).com.exe
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, XykH1fvVvHgI2PR3PX.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, XykH1fvVvHgI2PR3PX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, XykH1fvVvHgI2PR3PX.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, iDMZXoYRFugvodpGwH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, iDMZXoYRFugvodpGwH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, iDMZXoYRFugvodpGwH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, iDMZXoYRFugvodpGwH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, XykH1fvVvHgI2PR3PX.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, XykH1fvVvHgI2PR3PX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, XykH1fvVvHgI2PR3PX.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/3@2/2
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote RFQ #00926720250204.pdf(39kb).com.exe.logJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\025351e291-5d1041-4fa37-932c7-8L69aeiQec514992
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeReversingLabs: Detection: 62%
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeVirustotal: Detection: 61%
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeFile read: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic file information: File size 3786752 > 1048576
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x39aa00
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, XykH1fvVvHgI2PR3PX.cs.Net Code: P4X0XJBltp System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, XykH1fvVvHgI2PR3PX.cs.Net Code: P4X0XJBltp System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0106E958 pushfd ; retf 0_2_0106E959
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_02A019D5 push FFFFFF8Bh; iretd 0_2_02A019D7
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_057C8319 push C0054BC5h; iretd 0_2_057C8325
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_0702BA10 push cs; ret 0_2_0702BA11
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeCode function: 0_2_072845E0 push eax; ret 0_2_072845E1
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_01B9E958 pushfd ; retf 7_2_01B9E959
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_01B9F042 pushad ; iretd 7_2_01B9F049
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_035319D5 push FFFFFF8Bh; iretd 7_2_035319D7
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_035318C2 push dword ptr [ebx+ebp-75h]; iretd 7_2_035318E5
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AABA10 push cs; ret 7_2_07AABA11
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07AA1921 push es; retn 0004h7_2_07AA1930
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 7_2_07CD45E0 push eax; ret 7_2_07CD45E1
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_02CCE958 pushfd ; retf 8_2_02CCE959
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_02CCF042 pushad ; iretd 8_2_02CCF049
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_04E719D5 push FFFFFF8Bh; iretd 8_2_04E719D7
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_0712BA10 push cs; ret 8_2_0712BA11
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeCode function: 8_2_074C45E0 push eax; ret 8_2_074C45E1
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, vxdVnXWU7VL4uT9yxJ.csHigh entropy of concatenated method names: 'zr9xEDtWUr', 'QF1xuCIgW4', 'HVSxPoSkqQ', 'JNLxKftnj7', 'gXhxbOAvYb', 'vhoxnlfvmA', 'QTgxMbIHKl', 'w2dx7Kvoa1', 'G51xc3E7ce', 'FpHx2xI72Q'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, l6UoZmSVI3sajEJ0J2.csHigh entropy of concatenated method names: 'IrbT1Gbwiq', 'lv7TRPQqZH', 'saCTwPCubc', 'lTPTsKTTvm', 'iJpTx0cogt', 'L9OTvy9SgU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, DsmPOgaTvhj5a1C3i9.csHigh entropy of concatenated method names: 'yFKmYcCvlm', 'mbim3Ayaxo', 't7YmEcRgKo', 'ELwmuVEi8A', 'VppmKr2GaY', 'Roambetasi', 'riSmMifvcr', 'dYQm78LJ0Z', 'VaUm2UHIyL', 'XWEmyIel31'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, g55cXHLl6ikaPD2pth.csHigh entropy of concatenated method names: 'El5x9BcIGe', 'ywWxk5Ywsw', 'VO2xxpDiRp', 'k6Ux5KQ0Hi', 'gpXxjNCEL1', 'ty8xDlSseD', 'Dispose', 'WVi6trymSf', 'nI96GJu9Eu', 'ES361YWAnb'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, bXKdcg0kcHnmfsXxAs.csHigh entropy of concatenated method names: 'wIwAsDMZXo', 'hFuAvgvodp', 'AVHAem3CHL', 'SP0AdCQkbR', 'j1DA9jKkAt', 'qQ0AICn34p', 'yxZy1eFbKnsyRExqki', 'tMjLHg1UfsqOsnnANb', 'rn9AAL7Y2x', 'FKqAqyElFQ'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, ke4mcFV1e2FoYgh2PG.csHigh entropy of concatenated method names: 'zRYXf7a1D', 'u0eUgwVvE', 'pM18gdnq9', 'cccBMtPHu', 'gK83wRRlX', 'rLaJxZLrw', 'iIL1qpV4nGP14SWBbs', 'xv72AmWTfBlKXUlxYb', 'rit6wZXPK', 'utWTijgFK'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, pQ9gQMcdj5AGPWDQqA.csHigh entropy of concatenated method names: 'gMZs4YMxEM', 'AkMsgcRpZr', 'pA6sXOqQ3x', 'OcYsUZ48Qf', 'STqsNGFmdV', 'gdIs8yCvgf', 'efssB6B9fT', 'QgPsYdgPtv', 'c7Ps36fn6L', 'nWxsJJ9SsC'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, V58ZF7A0dKaotbG4bO0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S0UFxrsfc6', 'xeyFTgvQ4u', 'LM1F5n4JDc', 'OS0FFeILjT', 'SfgFj3BJ9O', 'mv1FhGultU', 'uHnFDfYGQr'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, TkbR6tJHc1UIis1DjK.csHigh entropy of concatenated method names: 'WG5RNRHuJj', 'E03RBfE2bm', 'C5N1PKoHvT', 'VLI1Kss1rq', 'wJt1bch0te', 'jfC1n3kJxD', 'ipP1MQaDXg', 'mbM17NpUUP', 'umw1cKqYfD', 'p9o121ahlh'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, aEFiKLAHOb4wPHJXvMT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mRbTyiOdto', 'aJ3TCE9P5l', 'rPjTabhc2c', 'TDcTpA69Jq', 'v9UTOhcMlt', 'emtTlyuYCT', 'OBrTQ7HtAM'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, qAtkQ0ECn34pC14Sb9.csHigh entropy of concatenated method names: 'pHDwiNHPMX', 'uSiwGywqUu', 'hxNwRShtU9', 'lxIws2ElaV', 'EkmwvgfEaX', 'nA5RrtIBTQ', 'WgXRoPi4qu', 'BVmRLj8rBZ', 'GHTRZSbrp6', 'CK4RW5X0FF'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, iDMZXoYRFugvodpGwH.csHigh entropy of concatenated method names: 'RFCGpvgfSL', 'SlSGOHEFFA', 'UnqGlnxJUR', 'q3oGQXnHyE', 'QpvGrL7lb4', 'MCIGo5NE8S', 'oK9GLjbFIL', 'nfxGZoY2u6', 'XY0GWNZVm1', 'nNCGSCYvgc'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, L1YWNQM0jQJupYTkIc.csHigh entropy of concatenated method names: 'M6yst7LIqU', 'Iwcs19dkgy', 'EW1swefyTB', 'SlKwSUIx54', 'dsPwzZUm4p', 'JXjsH7qW77', 'iubsAwG2eb', 'XTYsVCISDi', 'qelsqrRx6u', 'qyus0ONhx8'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, RNrnm3oMbW91GER9ul.csHigh entropy of concatenated method names: 'gD8kZURD5y', 'QElkSBaZ8M', 'c6O6HytFUK', 'nf36Ah1DbZ', 'bhnkyteXct', 'xCtkC71kSI', 'Xscka0CVWy', 'yTYkpoCrGN', 'uqjkOwNFcW', 'YZbklnqUT3'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, CUJsB2zWo7WpGGqIYK.csHigh entropy of concatenated method names: 'NAIT8aJNbD', 'st5TYotK36', 'C94T3Df86K', 'pVoTEmifTr', 'bwhTuHvxjE', 'mfyTKwwhBT', 'WOfTbhIyDa', 'kkqTDNAc7i', 'Ck8T4MNkD8', 'oXNTg4Im8Q'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, TIDwWwAAMNJdOTBbsZk.csHigh entropy of concatenated method names: 'c13TSaVEFN', 'NG8TzT52bI', 'wAy5HKyJlN', 'mkx5AAFB0W', 'CAy5VcmKGY', 'h195qNo0kY', 'fc550iy03H', 'EmT5iYMMjP', 'S2O5toZfmP', 'iFT5GGM8M2'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, Geo22Wp5fnMVKMyftd.csHigh entropy of concatenated method names: 'W8x92Tet4H', 'fpL9Ct2IMw', 'bMh9pFooy1', 'CGk9OEPk3x', 'JpH9uSHHg4', 'PUh9PJCdP8', 'DH89KWktNH', 'sK39bxuB26', 'mch9nIo7rg', 'fbG9MsUbW5'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, p5rbDgGrra8sMsNtZL.csHigh entropy of concatenated method names: 'Dispose', 'ekaAWPD2pt', 'kOUVuFDCww', 'Fy1D7LkMda', 'v3TASDrns9', 'oubAz7buEc', 'ProcessDialogKey', 'idjVHxdVnX', 'z7VVAL4uT9', 'OxJVVf6UoZ'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, VEXchU3VHm3CHLOP0C.csHigh entropy of concatenated method names: 'lpy1UaZQb7', 'VSS18OxxyJ', 'axu1YBvDFQ', 'M2L13Btwei', 'eCC19RkPHf', 'e5Z1IsFCoW', 'pY51kq6eKv', 'kOK16yp0QE', 'NJw1xx2Pb8', 'qSL1TDbVdT'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.a8e2a58.1.raw.unpack, XykH1fvVvHgI2PR3PX.csHigh entropy of concatenated method names: 'dNjqiNgOF1', 'GLHqtGR8Fx', 'YfHqGSFxrv', 'YjCq1cho01', 'D1lqRseiJm', 'ok8qwChvkV', 'IhlqsrDW6k', 'i10qvN0PIc', 'oRsqfY9bA2', 'pl3qeV8ayY'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, vxdVnXWU7VL4uT9yxJ.csHigh entropy of concatenated method names: 'zr9xEDtWUr', 'QF1xuCIgW4', 'HVSxPoSkqQ', 'JNLxKftnj7', 'gXhxbOAvYb', 'vhoxnlfvmA', 'QTgxMbIHKl', 'w2dx7Kvoa1', 'G51xc3E7ce', 'FpHx2xI72Q'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, l6UoZmSVI3sajEJ0J2.csHigh entropy of concatenated method names: 'IrbT1Gbwiq', 'lv7TRPQqZH', 'saCTwPCubc', 'lTPTsKTTvm', 'iJpTx0cogt', 'L9OTvy9SgU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, DsmPOgaTvhj5a1C3i9.csHigh entropy of concatenated method names: 'yFKmYcCvlm', 'mbim3Ayaxo', 't7YmEcRgKo', 'ELwmuVEi8A', 'VppmKr2GaY', 'Roambetasi', 'riSmMifvcr', 'dYQm78LJ0Z', 'VaUm2UHIyL', 'XWEmyIel31'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, g55cXHLl6ikaPD2pth.csHigh entropy of concatenated method names: 'El5x9BcIGe', 'ywWxk5Ywsw', 'VO2xxpDiRp', 'k6Ux5KQ0Hi', 'gpXxjNCEL1', 'ty8xDlSseD', 'Dispose', 'WVi6trymSf', 'nI96GJu9Eu', 'ES361YWAnb'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, bXKdcg0kcHnmfsXxAs.csHigh entropy of concatenated method names: 'wIwAsDMZXo', 'hFuAvgvodp', 'AVHAem3CHL', 'SP0AdCQkbR', 'j1DA9jKkAt', 'qQ0AICn34p', 'yxZy1eFbKnsyRExqki', 'tMjLHg1UfsqOsnnANb', 'rn9AAL7Y2x', 'FKqAqyElFQ'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, ke4mcFV1e2FoYgh2PG.csHigh entropy of concatenated method names: 'zRYXf7a1D', 'u0eUgwVvE', 'pM18gdnq9', 'cccBMtPHu', 'gK83wRRlX', 'rLaJxZLrw', 'iIL1qpV4nGP14SWBbs', 'xv72AmWTfBlKXUlxYb', 'rit6wZXPK', 'utWTijgFK'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, pQ9gQMcdj5AGPWDQqA.csHigh entropy of concatenated method names: 'gMZs4YMxEM', 'AkMsgcRpZr', 'pA6sXOqQ3x', 'OcYsUZ48Qf', 'STqsNGFmdV', 'gdIs8yCvgf', 'efssB6B9fT', 'QgPsYdgPtv', 'c7Ps36fn6L', 'nWxsJJ9SsC'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, V58ZF7A0dKaotbG4bO0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S0UFxrsfc6', 'xeyFTgvQ4u', 'LM1F5n4JDc', 'OS0FFeILjT', 'SfgFj3BJ9O', 'mv1FhGultU', 'uHnFDfYGQr'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, TkbR6tJHc1UIis1DjK.csHigh entropy of concatenated method names: 'WG5RNRHuJj', 'E03RBfE2bm', 'C5N1PKoHvT', 'VLI1Kss1rq', 'wJt1bch0te', 'jfC1n3kJxD', 'ipP1MQaDXg', 'mbM17NpUUP', 'umw1cKqYfD', 'p9o121ahlh'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, aEFiKLAHOb4wPHJXvMT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mRbTyiOdto', 'aJ3TCE9P5l', 'rPjTabhc2c', 'TDcTpA69Jq', 'v9UTOhcMlt', 'emtTlyuYCT', 'OBrTQ7HtAM'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, qAtkQ0ECn34pC14Sb9.csHigh entropy of concatenated method names: 'pHDwiNHPMX', 'uSiwGywqUu', 'hxNwRShtU9', 'lxIws2ElaV', 'EkmwvgfEaX', 'nA5RrtIBTQ', 'WgXRoPi4qu', 'BVmRLj8rBZ', 'GHTRZSbrp6', 'CK4RW5X0FF'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, iDMZXoYRFugvodpGwH.csHigh entropy of concatenated method names: 'RFCGpvgfSL', 'SlSGOHEFFA', 'UnqGlnxJUR', 'q3oGQXnHyE', 'QpvGrL7lb4', 'MCIGo5NE8S', 'oK9GLjbFIL', 'nfxGZoY2u6', 'XY0GWNZVm1', 'nNCGSCYvgc'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, L1YWNQM0jQJupYTkIc.csHigh entropy of concatenated method names: 'M6yst7LIqU', 'Iwcs19dkgy', 'EW1swefyTB', 'SlKwSUIx54', 'dsPwzZUm4p', 'JXjsH7qW77', 'iubsAwG2eb', 'XTYsVCISDi', 'qelsqrRx6u', 'qyus0ONhx8'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, RNrnm3oMbW91GER9ul.csHigh entropy of concatenated method names: 'gD8kZURD5y', 'QElkSBaZ8M', 'c6O6HytFUK', 'nf36Ah1DbZ', 'bhnkyteXct', 'xCtkC71kSI', 'Xscka0CVWy', 'yTYkpoCrGN', 'uqjkOwNFcW', 'YZbklnqUT3'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, CUJsB2zWo7WpGGqIYK.csHigh entropy of concatenated method names: 'NAIT8aJNbD', 'st5TYotK36', 'C94T3Df86K', 'pVoTEmifTr', 'bwhTuHvxjE', 'mfyTKwwhBT', 'WOfTbhIyDa', 'kkqTDNAc7i', 'Ck8T4MNkD8', 'oXNTg4Im8Q'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, TIDwWwAAMNJdOTBbsZk.csHigh entropy of concatenated method names: 'c13TSaVEFN', 'NG8TzT52bI', 'wAy5HKyJlN', 'mkx5AAFB0W', 'CAy5VcmKGY', 'h195qNo0kY', 'fc550iy03H', 'EmT5iYMMjP', 'S2O5toZfmP', 'iFT5GGM8M2'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, Geo22Wp5fnMVKMyftd.csHigh entropy of concatenated method names: 'W8x92Tet4H', 'fpL9Ct2IMw', 'bMh9pFooy1', 'CGk9OEPk3x', 'JpH9uSHHg4', 'PUh9PJCdP8', 'DH89KWktNH', 'sK39bxuB26', 'mch9nIo7rg', 'fbG9MsUbW5'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, p5rbDgGrra8sMsNtZL.csHigh entropy of concatenated method names: 'Dispose', 'ekaAWPD2pt', 'kOUVuFDCww', 'Fy1D7LkMda', 'v3TASDrns9', 'oubAz7buEc', 'ProcessDialogKey', 'idjVHxdVnX', 'z7VVAL4uT9', 'OxJVVf6UoZ'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, VEXchU3VHm3CHLOP0C.csHigh entropy of concatenated method names: 'lpy1UaZQb7', 'VSS18OxxyJ', 'axu1YBvDFQ', 'M2L13Btwei', 'eCC19RkPHf', 'e5Z1IsFCoW', 'pY51kq6eKv', 'kOK16yp0QE', 'NJw1xx2Pb8', 'qSL1TDbVdT'
                Source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.c380000.2.raw.unpack, XykH1fvVvHgI2PR3PX.csHigh entropy of concatenated method names: 'dNjqiNgOF1', 'GLHqtGR8Fx', 'YfHqGSFxrv', 'YjCq1cho01', 'D1lqRseiJm', 'ok8qwChvkV', 'IhlqsrDW6k', 'i10qvN0PIc', 'oRsqfY9bA2', 'pl3qeV8ayY'
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeFile opened: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 3236, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 424, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 8B80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 9B80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 9D80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: AD80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: C6F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: D6F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: E6F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 33E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: 53E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 1B90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 3680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 34A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 8FB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 9FB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: A190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: B190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: C820000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: D820000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 4DF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 87D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 97D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 99B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: A9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: C000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: D000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 30C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory allocated: 50C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeWindow / User API: threadDelayed 5953Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeWindow / User API: threadDelayed 3766Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe TID: 972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe TID: 3060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe TID: 4872Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe TID: 2216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe TID: 7300Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe TID: 7540Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Quote RFQ #00926720250204.pdf(39kb).com.exe, Excelworkbook.exe.4.drBinary or memory string: =N,2*QEMU)s@b
                Source: Excelworkbook.exe, 0000000A.00000002.4777618860.0000000005853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeMemory written: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe "C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Excelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote RFQ #00926720250204.pdf(39kb).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2402613620.00000000036D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2467591677.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4759375112.0000000003216000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2319844917.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 3236, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 424, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 6872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 7172, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Excelworkbook.exe.5254228.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote RFQ #00926720250204.pdf(39kb).com.exe.d20e658.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2402613620.00000000036D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2467591677.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4759375112.0000000003216000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2319844917.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2420678631.0000000005254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2321169324.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2339539467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2449727846.000000000D021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2367270166.000000000CEF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 3236, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote RFQ #00926720250204.pdf(39kb).com.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 424, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 6872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Excelworkbook.exe PID: 7172, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Masquerading                		11
                Input Capture                		111
                Security Software Discovery                		Remote Services11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials23
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612340 Sample: Quote RFQ #00926720250204.p... Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 52 twart.myfirewall.org 2->52 54 ipwho.is 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 10 other signatures 2->68 11 Quote RFQ #00926720250204.pdf(39kb).com.exe 3 2->11         started        15 Excelworkbook.exe 2 2->15         started        signatures3 process4 file5 50 Quote RFQ #0092672...f(39kb).com.exe.log, ASCII 11->50 dropped 74 Injects a PE file into a foreign processes 11->74 17 Quote RFQ #00926720250204.pdf(39kb).com.exe 4 11->17         started        21 Quote RFQ #00926720250204.pdf(39kb).com.exe 11->21         started        23 Quote RFQ #00926720250204.pdf(39kb).com.exe 11->23         started        25 Excelworkbook.exe 2 15->25         started        27 Excelworkbook.exe 15->27         started        29 Excelworkbook.exe 15->29         started        signatures6 process7 file8 48 C:\Users\user\AppData\...xcelworkbook.exe, PE32 17->48 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->60 31 Excelworkbook.exe 3 17->31         started        34 schtasks.exe 1 17->34         started        signatures9 process10 signatures11 76 Multi AV Scanner detection for dropped file 31->76 78 Machine Learning detection for dropped file 31->78 80 Injects a PE file into a foreign processes 31->80 36 Excelworkbook.exe 15 2 31->36         started        40 Excelworkbook.exe 31->40         started        42 conhost.exe 34->42         started        process12 dnsIp13 56 twart.myfirewall.org 94.156.177.117, 49736, 9792 NET1-ASBG Bulgaria 36->56 58 ipwho.is 195.201.57.90, 443, 49737 HETZNER-ASDE Germany 36->58 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->70 72 Installs a global keyboard hook 36->72 44 schtasks.exe 1 36->44         started        signatures14 process15 process16 46 conhost.exe 44->46         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.