Edit tour

Windows Analysis Report
Auftragsbest#U00e4tigung.exe

Overview

General Information

Sample name:	Auftragsbest#U00e4tigung.exe renamed because original name is a hash value
Original sample name:	Auftragsbesttigung.exe
Analysis ID:	1619889
MD5:	dae9eb1454d9b439b74d1e85dba72223
SHA1:	794e6bc004dfaabc8328357e4514d4d60db463c1
SHA256:	2383b97ef686b72097c44f7b83f4f0ed27e97fb378c3bcab610fc7ca1e9100b6
Tags:	exeuser-lowmal3
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Quasar RAT

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Auftragsbest#U00e4tigung.exe (PID: 2748 cmdline: "C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe" MD5: DAE9EB1454D9B439B74D1E85DBA72223)

Auftragsbest#U00e4tigung.exe (PID: 964 cmdline: "C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe" MD5: DAE9EB1454D9B439B74D1E85DBA72223)

styfuihs5ty.exe (PID: 7072 cmdline: "C:\Users\user\AppData\Roaming\styfuihs5ty.exe" MD5: DAE9EB1454D9B439B74D1E85DBA72223)

styfuihs5ty.exe (PID: 7120 cmdline: "C:\Users\user\AppData\Roaming\styfuihs5ty.exe" MD5: DAE9EB1454D9B439B74D1E85DBA72223)

styfuihs5ty.exe (PID: 6196 cmdline: "C:\Users\user\AppData\Roaming\styfuihs5ty.exe" MD5: DAE9EB1454D9B439B74D1E85DBA72223)

styfuihs5ty.exe (PID: 6984 cmdline: "C:\Users\user\AppData\Roaming\styfuihs5ty.exe" MD5: DAE9EB1454D9B439B74D1E85DBA72223)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": ["che.ydns.eu:4213", "kamsi.ydns.eu:4213", "kin.ydns.eu:4213"], "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "50ef7e25-5a45-48c6-8299-131ffa0b5a57", "StartupKey": "Quasar Client Startup", "Tag": "floo", "LogDirectoryName": "Logs", "ServerSignature": "SLSn7yyDnwJqPpCpYhi2plxvnEYYe90bG1qUG+q9oXpjITHrvmAsBi3/dTFXfN8DWNCLkxsgpZ0d/w4kUqzvUZvcmHDY+Ty7FZqwT/yo7llj3fkf+zWsXbdgHucQLOYslvmVHTsXoOMkMkZaUKGBEeJbtdfVX4EpYsiXRNiEs71mUMVqQ6sX1X8qkI10bLD5oET9WpLVnwhGJGby7ptaktQG+rbHGXH1P9iGyrIADBlWHiGmuVGQSC4hbnWNPVatyJ549NrecZ3T83QlMWl3Ao4rE2/gy6i9qEpGqyF/UPRRqUlndVIJLJVFWE0TmfLa/57NnAyjY09LT8BJ5se2xgtcZf2POMhbrsoDMBkOCnc+E73DFJXFaScVlWFGBfrDYYV8wW1PmFjy6kSRNDOYXWHwkLFgywBx5+CRkqlydts8uK6V1kle8NxjgfrXLRCzYDnVy5QL4odqqGSBYry1Ix3NQ6HfQE7xHiPvGtWTZtC8fLqeoMY8RVU8bdPVa0dq1xz2w3RIpUIhbZZhzIqc7T7AuGZQ18/M+7wlW172km3MRLxMECMYT5EkQ0q0wC37WfeGDFpOqOFzLftDDmfTycHOPa7A8iGaNQ4FzR4yOWF2XmYkWhsme0JKnGg0OvX6kMzlQOIfyvMSsCVHrFBc5uJtxbjNOmkuOer+33HY5oM=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAL3CfYDpKs6rzJi5Rt3fUzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEzMTEzNTM1OFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAloqkyv5JitfMpQp3Hn3tB3HlOj5TzGo8JlHskERzsEm4MUG5OuA8o2Gq3WQictMEsunvFS1J3VPKG46dR38c0LrB2/JBnRGjECCInmpaBDdUBboFj10Ht9/nCU7ZtH8WZoJCwQ3yjrSuMhNM1MEwsOr+YH5YYq3usXc22xxfyWWWyHv6SZor3VAP7xsUODO3wG1tik4wp3yPWfI/qr/gcabuIFwQBVYwSkR2Q8DBN/W69Ad1SnWffcX4ZShhrmnOC4jbRMAWl3J/T959lU9rHLtluZwQHUKogHdam532KIdO637FUYY/CsQLQq6HEO0aTvozB+ypHmjilynF7bj3umbJ7n1zC/4kzf1uyUWub/bzqKbPyIUGo5mt120Nd9zv9JtGIEPlmTkwLMIliIzeKsxqHnWWCzNlSD5y1cfVnTiP2Pv5vPx0ZOC8dRVOPoGzXZfop7vOD1UfOk9g08tUcgjj8dYrp3PwQZ3mFve0ouqdXUpm7Y7jarFA68RAK8gATKVJ4TLZzR71vEOng9Og0KB1dbJBUqEzu6LY76boY754rqlHae154jt+bLVBU99LR7P3b0O2gLky94RKrCD/fAQKKofsFht56H9RP8BKZrM54uFiW85oGi9q/3vabSdv4m3q4kyCbz1EJ9KYq6BfAxdoRMWHo149yhitRRp88McCAwEAAaMyMDAwHQYDVR0OBBYEFEVQrUfkTNIFVhzOdFJ28fijuH2VMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFZyH5lI47UuDsrVOZEa5qgYR1WwCR7crQeyE2M1sMxrI6+MzQKkIrK5rU4HKXts7Dk3J/1vANpCU6X23QG+K5T9Y2u+2ZsIoiXzgot38s8yRFUtmTFTzYNT2KpEsJ77YTxbWYF8zWZiunHO+dSYUoiv1zHFBi3ewQ2quI+82+mOZCJjIsLsiJiaPQIJa80vUMKPPH3pmTfsiiO59I2WzzC5O9LWINnF+wCG7AIvzRGuYS3nb21ri49Z1+KMC8+OzamPod3zeccESYlEmlAAv9dAtT/4Ze6RiKVmFxmLwq0z3fA5DF6M2PgI8kVB7PMK0cBbfxs8N4kfUgSl+iClff6fv/E2Hg3/Oq53LgndvyCd5jkggOPekqmKdAvLv227duhU2zgLIkAHGK66MG7yHMuZpTzflsE7Ika8AYkkCZ0Q1m+XYPLWfzjSAtlm+vbNk5fot2ny0+GE62YU4+NezlGJO6UgMmK3XOdh2pBRKqRHklr/e23NUhJQQDk7VZ2/5N/12LVZFZGiJ1vj2z93Ognh2YNI0rm32JdJ2m68491kL6p4Xk563EQPZVDGfr6wQnH8jWvYwT5F+I+J9YPctHOzAA/raKyrSVS+9WS/ylc+161+dkUgOt9j2Shgb4u0WdssS++xDwMBn8mU+MLAGHXyw4NspHdoywYd2jcFV7nm"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2982362230.0000000007409000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2976500263.0000000004354000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2950097469.0000000000930000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.2938465454.0000000003389000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2471552384.0000000003225000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.2938465454.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.3022508591.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2528292633.0000000008240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3373226762.000000000358A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2958189391.0000000002871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000008.00000002.3031370229.000000000293B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2515042946.0000000007241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2938465454.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2515042946.0000000007541000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.3022508591.000000000309A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 964	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 7072	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 7072	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 7072	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 6196	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 6196	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 6196	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 7120	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: styfuihs5ty.exe PID: 6984	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
decrypted.memstr	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Auftragsbest#U00e4tigung.exe.7341863.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Auftragsbest#U00e4tigung.exe.8240000.9.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Auftragsbest#U00e4tigung.exe.8240000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Auftragsbest#U00e4tigung.exe.7341863.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Auftragsbest#U00e4tigung.exe.7241843.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d401:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb6d0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb614:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb632:$a4: encryptedPassword 0x2fb5b0:$a5: httpRealm
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e93:$s5: GetKeyloggerLogsDirectory 0x29cb60:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fccfe:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
6.2.styfuihs5ty.exe.4972e08.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.styfuihs5ty.exe.4972e08.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.styfuihs5ty.exe.4972e08.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd4d0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd414:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd432:$a4: encryptedPassword 0x2fd3b0:$a5: httpRealm
6.2.styfuihs5ty.exe.4972e08.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feafe:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
6.2.styfuihs5ty.exe.4972e08.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.styfuihs5ty.exe.4972e08.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d401:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.styfuihs5ty.exe.4972e08.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb6d0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb614:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb632:$a4: encryptedPassword 0x2fb5b0:$a5: httpRealm
6.2.styfuihs5ty.exe.4972e08.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e93:$s5: GetKeyloggerLogsDirectory 0x29cb60:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fccfe:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
7.2.styfuihs5ty.exe.610000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.styfuihs5ty.exe.610000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.styfuihs5ty.exe.610000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd4d0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd414:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd432:$a4: encryptedPassword 0x2fd3b0:$a5: httpRealm
7.2.styfuihs5ty.exe.610000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feafe:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd4d0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd414:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd432:$a4: encryptedPassword 0x2fd3b0:$a5: httpRealm
0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feafe:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\styfuihs5ty.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe, ProcessId: 2748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\styfuihs5ty

Suricata Signatures

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T13:09:46.385017+0100	2035595	1	Domain Observed Used for C2 Detected	45.144.214.107	4213	192.168.2.6	52683	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T13:09:46.385017+0100	2027619	1	Domain Observed Used for C2 Detected	45.144.214.107	4213	192.168.2.6	52683	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": ["che.ydns.eu:4213", "kamsi.ydns.eu:4213", "kin.ydns.eu:4213"], "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "50ef7e25-5a45-48c6-8299-131ffa0b5a57", "StartupKey": "Quasar Client Startup", "Tag": "floo", "LogDirectoryName": "Logs", "ServerSignature": "SLSn7yyDnwJqPpCpYhi2plxvnEYYe90bG1qUG+q9oXpjITHrvmAsBi3/dTFXfN8DWNCLkxsgpZ0d/w4kUqzvUZvcmHDY+Ty7FZqwT/yo7llj3fkf+zWsXbdgHucQLOYslvmVHTsXoOMkMkZaUKGBEeJbtdfVX4EpYsiXRNiEs71mUMVqQ6sX1X8qkI10bLD5oET9WpLVnwhGJGby7ptaktQG+rbHGXH1P9iGyrIADBlWHiGmuVGQSC4hbnWNPVatyJ549NrecZ3T83QlMWl3Ao4rE2/gy6i9qEpGqyF/UPRRqUlndVIJLJVFWE0TmfLa/57NnAyjY09LT8BJ5se2xgtcZf2POMhbrsoDMBkOCnc+E73DFJXFaScVlWFGBfrDYYV8wW1PmFjy6kSRNDOYXWHwkLFgywBx5+CRkqlydts8uK6V1kle8NxjgfrXLRCzYDnVy5QL4odqqGSBYry1Ix3NQ6HfQE7xHiPvGtWTZtC8fLqeoMY8RVU8bdPVa0dq1xz2w3RIpUIhbZZhzIqc7T7AuGZQ18/M+7wlW172km3MRLxMECMYT5EkQ0q0wC37WfeGDFpOqOFzLftDDmfTycHOPa7A8iGaNQ4FzR4yOWF2XmYkWhsme0JKnGg0OvX6kMzlQOIfyvMSsCVHrFBc5uJtxbjNOmkuOer+33HY5oM=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAL3CfYDpKs6rzJi5Rt3fUzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEzMTEzNTM1OFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAloqkyv5JitfMpQp3Hn3tB3HlOj5TzGo8JlHskERzsEm4MUG5OuA8o2Gq3WQictMEsunvFS1J3VPKG46dR38c0LrB2/JBnRGjECCInmpaBDdUBboFj10Ht9/nCU7ZtH8WZoJCwQ3yjrSuMhNM1MEwsOr+YH5YYq3usXc22xxfyWWWyHv6SZor3VAP7xsUODO3wG1tik4wp3yPWfI/qr/gcabuIFwQBVYwSkR2Q8DBN/W69Ad1SnWffcX4ZShhrmnOC4jbRMAWl3J/T959lU9rHLtluZwQHUKogHdam532KIdO637FUYY/CsQLQq6HEO0aTvozB+ypHmjilynF7bj3umbJ7n1zC/4kzf1uyUWub/bzqKbPyIUGo5mt120Nd9zv9JtGIEPlmTkwLMIliIzeKsxqHnWWCzNlSD5y1cfVnTiP2Pv5vPx0ZOC8dRVOPoGzXZfop7vOD1UfOk9g08tUcgjj8dYrp3PwQZ3mFve0ouqdXUpm7Y7jarFA68RAK8gATKVJ4TLZzR71vEOng9Og0KB1dbJBUqEzu6LY76boY754rqlHae154jt+bLVBU99LR7P3b0O2gLky94RKrCD/fAQKKofsFht56H9RP8BKZrM54uFiW85oGi9q/3vabSdv4m3q4kyCbz1EJ9KYq6BfAxdoRMWHo149yhitRRp88McCAwEAAaMyMDAwHQYDVR0OBBYEFEVQrUfkTNIFVhzOdFJ28fijuH2VMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFZyH5lI47UuDsrVOZEa5qgYR1WwCR7crQeyE2M1sMxrI6+MzQKkIrK5rU4HKXts7Dk3J/1vANpCU6X23QG+K5T9Y2u+2ZsIoiXzgot38s8yRFUtmTFTzYNT2KpEsJ77YTxbWYF8zWZiunHO+dSYUoiv1zHFBi3ewQ2quI+82+mOZCJjIsLsiJiaPQIJa80vUMKPPH3pmTfsiiO59I2WzzC5O9LWINnF+wCG7AIvzRGuYS3nb21ri49Z1+KMC8+OzamPod3zeccESYlEmlAAv9dAtT/4Ze6RiKVmFxmLwq0z3fA5DF6M2PgI8kVB7PMK0cBbfxs8N4kfUgSl+iClff6fv/E2Hg3/Oq53LgndvyCd5jkggOPekqmKdAvLv227duhU2zgLIkAHGK66MG7yHMuZpTzflsE7Ika8AYkkCZ0Q1m+XYPLWfzjSAtlm+vbNk5fot2ny0+GE62YU4+NezlGJO6UgMmK3XOdh2pBRKqRHklr/e23NUhJQQDk7VZ2/5N/12LVZFZGiJ1vj2z93Ognh2YNI0rm32JdJ2m68491kL6p4Xk563EQPZVDGfr6wQnH8jWvYwT5F+I+J9YPctHOzAA/raKyrSVS+9WS/ylc+161+dkUgOt9j2Shgb4u0WdssS++xDwMBn8mU+MLAGHXyw4NspHdoywYd2jcFV7nm"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: Auftragsbest#U00e4tigung.exe

Virustotal: Detection: 26%

Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2976500263.0000000004354000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000930000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2938465454.0000000003389000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2471552384.0000000003225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.000000000358A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2958189391.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3031370229.000000000293B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3022508591.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 1.4.1
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: che.ydns.eu:4213;kamsi.ydns.eu:4213;kin.ydns.eu:4213;
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SubDir
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Client.exe
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 50ef7e25-5a45-48c6-8299-131ffa0b5a57
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Quasar Client Startup
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: floo
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Logs
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SLSn7yyDnwJqPpCpYhi2plxvnEYYe90bG1qUG+q9oXpjITHrvmAsBi3/dTFXfN8DWNCLkxsgpZ0d/w4kUqzvUZvcmHDY+Ty7FZqwT/yo7llj3fkf+zWsXbdgHucQLOYslvmVHTsXoOMkMkZaUKGBEeJbtdfVX4EpYsiXRNiEs71mUMVqQ6sX1X8qkI10bLD5oET9WpLVnwhGJGby7ptaktQG+rbHGXH1P9iGyrIADBlWHiGmuVGQSC4hbnWNPVatyJ549NrecZ3T83QlMWl3Ao4rE2/gy6i9qEpGqyF/UPRRqUlndVIJLJVFWE0TmfLa/57NnAyjY09LT8BJ5se2xgtcZf2POMhbrsoDMBkOCnc+E73DFJXFaScVlWFGBfrDYYV8wW1PmFjy6kSRNDOYXWHwkLFgywBx5+CRkqlydts8uK6V1kle8NxjgfrXLRCzYDnVy5QL4odqqGSBYry1Ix3NQ6HfQE7xHiPvGtWTZtC8fLqeoMY8RVU8bdPVa0dq1xz2w3RIpUIhbZZhzIqc7T7AuGZQ18/M+7wlW172km3MRLxMECMYT5EkQ0q0wC37WfeGDFpOqOFzLftDDmfTycHOPa7A8iGaNQ4FzR4yOWF2XmYkWhsme0JKnGg0OvX6kMzlQOIfyvMSsCVHrFBc5uJtxbjNOmkuOer+33HY5oM=
Source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String decryptor: MIIE9DCCAtygAwIBAgIQAL3CfYDpKs6rzJi5Rt3fUzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEzMTEzNTM1OFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAloqkyv5JitfMpQp3Hn3tB3HlOj5TzGo8JlHskERzsEm4MUG5OuA8o2Gq3WQictMEsunvFS1J3VPKG46dR38c0LrB2/JBnRGjECCInmpaBDdUBboFj10Ht9/nCU7ZtH8WZoJCwQ3yjrSuMhNM1MEwsOr+YH5YYq3usXc22xxfyWWWyHv6SZor3VAP7xsUODO3wG1tik4wp3yPWfI/qr/gcabuIFwQBVYwSkR2Q8DBN/W69Ad1SnWffcX4ZShhrmnOC4jbRMAWl3J/T959lU9rHLtluZwQHUKogHdam532KIdO637FUYY/CsQLQq6HEO0aTvozB+ypHmjilynF7bj3umbJ7n1zC/4kzf1uyUWub/bzqKbPyIUGo5mt120Nd9zv9JtGIEPlmTkwLMIliIzeKsxqHnWWCzNlSD5y1cfVnTiP2Pv5vPx0ZOC8dRVOPoGzXZfop7vOD1UfOk9g08tUcgjj8dYrp3PwQZ3mFve0ouqdXUpm7Y7jarFA68RAK8gATKVJ4TLZzR71vEOng9Og0KB1dbJBUqEzu6LY76boY754rqlHae154jt+bLVBU99LR7P3b0O2gLky94RKrCD/fAQKKofsFht56H9RP8BKZrM54uFiW85oGi9q/3vabSdv4m3q4kyCbz1EJ9KYq6BfAxdoRMWHo149yhitRRp88McCAwEAAaMyMDAwHQYDVR0OBBYEFEVQrUfkTNIFVhzOdFJ28fijuH2VMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFZyH5lI47UuDsrVOZEa5qgYR1WwCR7crQeyE2M1sMxrI6+MzQKkIrK5rU4HKXts7Dk3J/1vANpCU6X23QG+K5T9Y2u+2ZsIoiXzgot38s8yRFUtmTFTzYNT2KpEsJ77YTxbWYF8zWZiunHO+dSYUoiv1zHFBi3ewQ2quI+82+mOZCJjIsLsiJiaPQIJa80vUMKPPH3pmTfsiiO59I2WzzC5O9LWINnF+wCG7AIvzRGuYS3nb21ri49Z1+KMC8+OzamPod3zeccESYlEmlAAv9dAtT/4Ze6RiKVmFxmLwq0z3fA5DF6M2PgI8kVB7PMK0cBbfxs8N4kfUgSl+iClff6fv/E2Hg3/Oq53LgndvyCd5jkggOPekqmKdAvLv227duhU2zgLIkAHGK66MG7yHMuZpTzflsE7Ika8AYkkCZ0Q1m+XYPLWfzjSAtlm+vbNk5fot2ny0+GE62YU4+NezlGJO6UgMmK3XOdh2pBRKqRHklr/e23NUhJQQDk7VZ2/5N/12LVZFZGiJ1vj2z93Ognh2YNI0rm32JdJ2m68491kL6p4Xk563EQPZVDGfr6wQnH8jWvYwT5F+I+J9YPctHOzAA/raKyrSVS+9WS/ylc+161+dkUgOt9j2Shgb4u0WdssS++xDwMBn8mU+MLAGHXyw4NspHdoywYd2jcFV7nm

Source: Auftragsbest#U00e4tigung.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:52694 version: TLS 1.2

Source: Auftragsbest#U00e4tigung.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2500672008.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2500672008.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F2D04Eh	0_2_05F2CFE8
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F2D04Eh	0_2_05F2CFD8
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F2D04Eh	0_2_05F2CF99
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F2C8AFh	0_2_05F2C850
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F2C8AFh	0_2_05F2C840
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F73631h	0_2_05F7356B
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F73631h	0_2_05F732C8
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F73631h	0_2_05F732B8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05E0D04Eh	5_2_05E0CFE8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05E0D04Eh	5_2_05E0CFD8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05E0D04Eh	5_2_05E0CF99
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05E0C8AFh	5_2_05E0C840
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05E0C8AFh	5_2_05E0C850
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 06CA3631h	5_2_06CA356B
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 06CA3631h	5_2_06CA32C8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 06CA3631h	5_2_06CA32B8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05C7D04Eh	6_2_05C7CFDB
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05C7D04Eh	6_2_05C7CFE8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05C7C8AFh	6_2_05C7C847
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 05C7C8AFh	6_2_05C7C850
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 06B43631h	6_2_06B4356B
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 06B43631h	6_2_06B432BF
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 4x nop then jmp 06B43631h	6_2_06B432C8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 45.144.214.107:4213 -> 192.168.2.6:52683
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 45.144.214.107:4213 -> 192.168.2.6:52683

Source: global traffic

TCP traffic: 192.168.2.6:52683 -> 45.144.214.107:4213

Source: global traffic

TCP traffic: 192.168.2.6:52563 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /win32/panel/uploads/Tiyxz.dat HTTP/1.1Host: 196.251.71.142Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /win32/panel/uploads/Tiyxz.dat HTTP/1.1Host: 196.251.71.142Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /win32/panel/uploads/Tiyxz.dat HTTP/1.1Host: 196.251.71.142Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View

ASN Name: HPC-MVM-ASHU HPC-MVM-ASHU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.71.142

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /win32/panel/uploads/Tiyxz.dat HTTP/1.1Host: 196.251.71.142Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /win32/panel/uploads/Tiyxz.dat HTTP/1.1Host: 196.251.71.142Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /win32/panel/uploads/Tiyxz.dat HTTP/1.1Host: 196.251.71.142Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: che.ydns.eu
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000005.00000002.2938465454.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3022508591.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://196.251.71.142
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000005.00000002.2938465454.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3022508591.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://196.251.71.142/win32/panel/uploads/Tiyxz.dat
Source: Auftragsbest#U00e4tigung.exe, styfuihs5ty.exe.0.dr	String found in binary or memory: http://196.251.71.142/win32/panel/uploads/Tiyxz.dat1qJ8LzfOVVO7/A0fBqjSIyw==
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3386674795.00000000059B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3386674795.00000000059B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabyaG
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.000000000353E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.000000000353E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.isd
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.000000000358A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.000000000358A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000005.00000002.2938465454.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3022508591.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000005.00000002.2976500263.0000000004DE9000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.000000000352C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.000000000352C000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000004.00000002.3373226762.000000000337B000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000005.00000002.2938465454.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3022508591.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 52694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52694

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:52694 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2976500263.0000000004354000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000930000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2938465454.0000000003389000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2471552384.0000000003225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.000000000358A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2958189391.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3031370229.000000000293B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3022508591.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F0AC70 NtResumeThread,	0_2_05F0AC70
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F07340 NtProtectVirtualMemory,	0_2_05F07340
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F0AC68 NtResumeThread,	0_2_05F0AC68
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F07338 NtProtectVirtualMemory,	0_2_05F07338
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D64C20 NtProtectVirtualMemory,	5_2_05D64C20
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D682D0 NtResumeThread,	5_2_05D682D0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D64C18 NtProtectVirtualMemory,	5_2_05D64C18
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D682C8 NtResumeThread,	5_2_05D682C8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C04C20 NtProtectVirtualMemory,	6_2_05C04C20
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C082D0 NtResumeThread,	6_2_05C082D0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C04C18 NtProtectVirtualMemory,	6_2_05C04C18
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C082C8 NtResumeThread,	6_2_05C082C8

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01611E6B	0_2_01611E6B
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01611E78	0_2_01611E78
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F039D0	0_2_05F039D0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F039C1	0_2_05F039C1
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F2EA78	0_2_05F2EA78
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F27FE8	0_2_05F27FE8
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F29238	0_2_05F29238
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F7AC90	0_2_05F7AC90
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F715A8	0_2_05F715A8
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F7AC80	0_2_05F7AC80
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069D85DB	0_2_069D85DB
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069DEDC0	0_2_069DEDC0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069DCB80	0_2_069DCB80
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069D48C0	0_2_069D48C0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069D1050	0_2_069D1050
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069D1040	0_2_069D1040
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069DEDB3	0_2_069DEDB3
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069DCB76	0_2_069DCB76
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069D48B0	0_2_069D48B0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069F27A0	0_2_069F27A0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069F2723	0_2_069F2723
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A20228	0_2_06A20228
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A20218	0_2_06A20218
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A26F37	0_2_06A26F37
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A26880	0_2_06A26880
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A26870	0_2_06A26870
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A5DB80	0_2_06A5DB80
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A5A09F	0_2_06A5A09F
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A57830	0_2_06A57830
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A599F0	0_2_06A599F0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A5611B	0_2_06A5611B
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A55E28	0_2_06A55E28
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A55E18	0_2_06A55E18
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A56326	0_2_06A56326
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A56344	0_2_06A56344
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A560CB	0_2_06A560CB
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A5782A	0_2_06A5782A
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A5600A	0_2_06A5600A
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A599E0	0_2_06A599E0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A91600	0_2_06A91600
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A9B4CA	0_2_06A9B4CA
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A915F0	0_2_06A915F0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A94A10	0_2_06A94A10
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_0723E3D8	0_2_0723E3D8
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_07220006	0_2_07220006
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_07220040	0_2_07220040
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4_2_013FEFE4	4_2_013FEFE4
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4_2_056B93B0	4_2_056B93B0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4_2_056B0508	4_2_056B0508
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4_2_056B0518	4_2_056B0518
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4_2_056B9F0B	4_2_056B9F0B
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4_2_0824A0C8	4_2_0824A0C8
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 4_2_08246D88	4_2_08246D88
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_01401E6A	5_2_01401E6A
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_01401E78	5_2_01401E78
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D66578	5_2_05D66578
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D612B0	5_2_05D612B0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D66569	5_2_05D66569
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D612A0	5_2_05D612A0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05E08FF8	5_2_05E08FF8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05E0EA78	5_2_05E0EA78
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05E07FE8	5_2_05E07FE8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A885DB	5_2_06A885DB
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A8EDC0	5_2_06A8EDC0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A8CB80	5_2_06A8CB80
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A848C0	5_2_06A848C0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A81040	5_2_06A81040
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A81050	5_2_06A81050
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A8EDB1	5_2_06A8EDB1
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06A8CB76	5_2_06A8CB76
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06AD0228	5_2_06AD0228
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06AD0218	5_2_06AD0218
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06AD6F37	5_2_06AD6F37
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06AD6880	5_2_06AD6880
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06AD6870	5_2_06AD6870
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C8DB80	5_2_06C8DB80
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C8609A	5_2_06C8609A
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C8A09F	5_2_06C8A09F
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C87830	5_2_06C87830
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C899F0	5_2_06C899F0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C8611B	5_2_06C8611B
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C8A6D8	5_2_06C8A6D8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C85E18	5_2_06C85E18
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C85E28	5_2_06C85E28
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C86344	5_2_06C86344
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C86326	5_2_06C86326
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C8600A	5_2_06C8600A
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C8782A	5_2_06C8782A
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06C899E0	5_2_06C899E0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06CA15A8	5_2_06CA15A8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06CCC940	5_2_06CCC940
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06CC1600	5_2_06CC1600
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06CC15F0	5_2_06CC15F0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06CC4A10	5_2_06CC4A10
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06F8E3D8	5_2_06F8E3D8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06F70040	5_2_06F70040
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_06F70007	5_2_06F70007
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_01301E78	6_2_01301E78
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_01301E6F	6_2_01301E6F
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C06578	6_2_05C06578
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C012B0	6_2_05C012B0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C06569	6_2_05C06569
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C012A0	6_2_05C012A0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C66880	6_2_05C66880
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C66870	6_2_05C66870
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C66F48	6_2_05C66F48
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C66F37	6_2_05C66F37
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C60218	6_2_05C60218
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C60228	6_2_05C60228
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C7EA78	6_2_05C7EA78
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C77FE8	6_2_05C77FE8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C793C7	6_2_05C793C7
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C999F0	6_2_05C999F0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C9611B	6_2_05C9611B
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C97830	6_2_05C97830
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C9DB80	6_2_05C9DB80
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C93D8A	6_2_05C93D8A
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C95E18	6_2_05C95E18
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C95E28	6_2_05C95E28
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C960CB	6_2_05C960CB
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C9600A	6_2_05C9600A
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C9782A	6_2_05C9782A
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C96344	6_2_05C96344
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_05C96326	6_2_05C96326
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_069185DB	6_2_069185DB
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06916C78	6_2_06916C78
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_0691EDC0	6_2_0691EDC0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_0691CB80	6_2_0691CB80
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_069148C0	6_2_069148C0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06911050	6_2_06911050
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06911040	6_2_06911040
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06916C69	6_2_06916C69
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_0691EDB1	6_2_0691EDB1
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_0691CB76	6_2_0691CB76
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_069148B0	6_2_069148B0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_0694C940	6_2_0694C940
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06941600	6_2_06941600
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_0694B4CA	6_2_0694B4CA
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_069415F0	6_2_069415F0
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06944A10	6_2_06944A10
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06D9E3D8	6_2_06D9E3D8
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06D80040	6_2_06D80040
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 6_2_06D80007	6_2_06D80007
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 7_2_00BDF03C	7_2_00BDF03C
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 8_2_028BF03C	8_2_028BF03C

Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2471552384.0000000003225000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2470726588.000000000132E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2470880743.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFLO.exe( vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000000.2115071055.0000000000C42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFLO.exe( vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2500672008.0000000005E50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Auftragsbest#U00e4tigung.exe
Source: Auftragsbest#U00e4tigung.exe	Binary or memory string: OriginalFilenameFLO.exe( vs Auftragsbest#U00e4tigung.exe

Source: Auftragsbest#U00e4tigung.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/3@2/3

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

File created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\50ef7e25-5a45-48c6-8299-131ffa0b5a57

Source: Auftragsbest#U00e4tigung.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Auftragsbest#U00e4tigung.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Auftragsbest#U00e4tigung.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

File read: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe "C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe"
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process created: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe "C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process created: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe "C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Auftragsbest#U00e4tigung.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Auftragsbest#U00e4tigung.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2500672008.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2500672008.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2490705184.0000000004F64000.00000004.00000800.00020000.00000000.sdmp, Auftragsbest#U00e4tigung.exe, 00000000.00000002.2511774930.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3053677984.0000000003F78000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Auftragsbest#U00e4tigung.exe, Tndgnfshumn.cs	.Net Code: Xruvfkqwrq System.AppDomain.Load(byte[])
Source: styfuihs5ty.exe.0.dr, Tndgnfshumn.cs	.Net Code: Xruvfkqwrq System.AppDomain.Load(byte[])
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Auftragsbest#U00e4tigung.exe.5e50000.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Auftragsbest#U00e4tigung.exe.4f640c8.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Auftragsbest#U00e4tigung.exe.4f640c8.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Auftragsbest#U00e4tigung.exe.4f640c8.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Auftragsbest#U00e4tigung.exe.4f640c8.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Auftragsbest#U00e4tigung.exe.4f640c8.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Auftragsbest#U00e4tigung.exe.6aa0000.4.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Auftragsbest#U00e4tigung.exe.6aa0000.4.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Auftragsbest#U00e4tigung.exe.6aa0000.4.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Auftragsbest#U00e4tigung.exe.6aa0000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Auftragsbest#U00e4tigung.exe.6aa0000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.7341863.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.8240000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.8240000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.7341863.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.7241843.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2982362230.0000000007409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2938465454.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3022508591.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2528292633.0000000008240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2515042946.0000000007241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2938465454.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2515042946.0000000007541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6196, type: MEMORYSTR

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01617113 push edi; retf	0_2_01617114
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_016170BB push edi; retf	0_2_016170BC
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01617373 push esp; retf	0_2_01617374
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01617344 push esp; retf	0_2_01617346
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01612B47 pushfd ; retf	0_2_01612B48
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01617325 push ebp; retf	0_2_01617326
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01617304 push ebp; retf	0_2_01617305
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01612BCB pushfd ; retf	0_2_01612BCC
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_016172E3 push ebp; retf	0_2_016172E5
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_01617471 push ebx; retf	0_2_01617472
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_016167C6 pushad ; retf	0_2_016167C7
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_016177CC push eax; retf	0_2_016177CD
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_0161663A push ecx; ret	0_2_01616640
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_05F72BC2 push B903FD60h; retf 0077h	0_2_05F72BC7
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069DC6D0 pushfd ; ret	0_2_069DC6D1
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_069DDC19 push es; ret	0_2_069DDC6C
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A22E67 push es; retf	0_2_06A22FAC
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A25B90 push esp; iretd	0_2_06A25B9D
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A2513F push es; iretd	0_2_06A25184
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A53440 push ecx; iretd	0_2_06A53442
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A52D01 push esp; iretd	0_2_06A52D02
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A59123 push es; retf	0_2_06A59124
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A9E77D pushad ; iretd	0_2_06A9E781
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A9849E push es; retf	0_2_06A984A4
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A96401 push es; retf	0_2_06A96408
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A962A5 push edx; iretd	0_2_06A962AB
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A91342 push es; ret	0_2_06A91358
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Code function: 0_2_06A94807 push es; retf	0_2_06A9490C
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_01401900 push esp; ret	5_2_014019B9
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_0140663A push ecx; ret	5_2_01406640
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Code function: 5_2_05D67F4A push eax; retf	5_2_05D67F51

Source: 0.2.Auftragsbest#U00e4tigung.exe.6c30000.5.raw.unpack, QUE7yuF8W1SDk5K5eRb.cs

High entropy of concatenated method names: 'o9LFwiaNMs', 'XJTFPglout', 'TPIFYZqPCe', 'dbZFrFvU6D', 'X7LFKCY9CJ', 'bfNFRZPeuh', 'tyeFxltmnM', 'EkDFig7Ofa', 'FPqF0brHJO', 'zsdFsU48Bn'

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

File created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run styfuihs5ty			Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run styfuihs5ty			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

File opened: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6196, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2471552384.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000005.00000002.2938465454.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, styfuihs5ty.exe, 00000006.00000002.3022508591.0000000002D81000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 15D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 7240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 7040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 6F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 6D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 6DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 7DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 2870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 4870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 2760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory allocated: 4910000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Window / User API: threadDelayed 1350	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Window / User API: threadDelayed 5507	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Window / User API: threadDelayed 467	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Window / User API: threadDelayed 413	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Window / User API: threadDelayed 1956	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Window / User API: threadDelayed 4403	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Window / User API: threadDelayed 1889	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Window / User API: threadDelayed 3807	Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 1436	Thread sleep count: 1350 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 1436	Thread sleep count: 5507 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -99014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98424s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -98077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe TID: 4512	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2644	Thread sleep count: 1956 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2644	Thread sleep count: 4403 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99872s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99653s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99512s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99396s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97289s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97185s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -96801s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -96672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4416	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 6980	Thread sleep count: 1889 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -99397s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 6980	Thread sleep count: 3807 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -99294s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98857s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -98093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -97097s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 2056	Thread sleep time: -96980s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 6648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe TID: 4020	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 99014	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98793	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98424	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 98077	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97202	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99872	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99653	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99512	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99396	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97289	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97185	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 96801	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99397	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99294	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98857	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 97097	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 96980	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Thread delayed: delay time: 922337203685477

Source: Auftragsbest#U00e4tigung.exe, 00000000.00000002.2470726588.000000000139B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: styfuihs5ty.exe, 00000006.00000002.3022508591.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: styfuihs5ty.exe, 00000006.00000002.3022508591.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: styfuihs5ty.exe, 00000006.00000002.3013019027.0000000001029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: Auftragsbest#U00e4tigung.exe, 00000004.00000002.3368897773.000000000148A000.00000004.00000020.00020000.00000000.sdmp, styfuihs5ty.exe, 00000005.00000002.2935025240.0000000001143000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Memory written: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory written: C:\Users\user\AppData\Roaming\styfuihs5ty.exe base: 610000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Memory written: C:\Users\user\AppData\Roaming\styfuihs5ty.exe base: 700000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Process created: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe "C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Process created: C:\Users\user\AppData\Roaming\styfuihs5ty.exe "C:\Users\user\AppData\Roaming\styfuihs5ty.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Users\user\AppData\Roaming\styfuihs5ty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Users\user\AppData\Roaming\styfuihs5ty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Users\user\AppData\Roaming\styfuihs5ty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Users\user\AppData\Roaming\styfuihs5ty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\styfuihs5ty.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2976500263.0000000004354000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000930000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2938465454.0000000003389000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2471552384.0000000003225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.000000000358A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2958189391.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3031370229.000000000293B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3022508591.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.styfuihs5ty.exe.4972e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.styfuihs5ty.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Auftragsbest#U00e4tigung.exe.463fdd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2976500263.0000000004354000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000930000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2938465454.0000000003389000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2471552384.0000000003225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3373226762.000000000358A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2958189391.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3031370229.000000000293B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3022508591.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2950097469.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3088048140.0000000008091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053677984.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000004517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490705184.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Auftragsbest#U00e4tigung.exe PID: 964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: styfuihs5ty.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Auftragsbest#U00e4tigung.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Auftragsbest#U00e4tigung.exe