Loading ...

Play interactive tourEdit tour

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Sample Name:QUOTATION REQUEST.exe
Analysis ID:321450
MD5:4f4f697adc79894ceec42d5752b2790e
SHA1:390de0e89b8c1c3d07dbd12dbb0149626453d12b
SHA256:dc0cff9e3bc575333097988f46e46f1925cedf35329a749a642576601a45674c
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • QUOTATION REQUEST.exe (PID: 5388 cmdline: 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: 4F4F697ADC79894CEEC42D5752B2790E)
    • schtasks.exe (PID: 5616 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1564 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • lEmohP.exe (PID: 3288 cmdline: 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • lEmohP.exe (PID: 5788 cmdline: 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "NzslbU4cHkctpk", "URL: ": "http://C0BJotQhI3.net", "To: ": "", "ByHost: ": "mail.hemetek.com:587", "Password: ": "FYw6n", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.212271069.0000000002B21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: QUOTATION REQUEST.exe PID: 5388JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' , ParentImage: C:\Users\user\Desktop\QUOTATION REQUEST.exe, ParentProcessId: 5388, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp', ProcessId: 5616

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: RegSvcs.exe.1564.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "NzslbU4cHkctpk", "URL: ": "http://C0BJotQhI3.net", "To: ": "", "ByHost: ": "mail.hemetek.com:587", "Password: ": "FYw6n", "From: ": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeReversingLabs: Detection: 51%
              Multi AV Scanner detection for submitted fileShow sources
              Source: QUOTATION REQUEST.exeVirustotal: Detection: 52%Perma Link
              Source: QUOTATION REQUEST.exeReversingLabs: Detection: 51%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: QUOTATION REQUEST.exeJoe Sandbox ML: detected
              Source: 3.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49738 -> 107.6.134.138:587
              Source: global trafficTCP traffic: 192.168.2.3:49738 -> 107.6.134.138:587
              Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
              Source: global trafficTCP traffic: 192.168.2.3:49738 -> 107.6.134.138:587
              Source: unknownDNS traffic detected: queries for: mail.hemetek.com
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: RegSvcs.exe, 00000003.00000002.465723831.0000000003696000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.465745478.00000000036A0000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.465591581.0000000003659000.00000004.00000001.sdmpString found in binary or memory: http://C0BJotQhI3.net
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://TDhznh.com
              Source: RegSvcs.exe, 00000003.00000002.465723831.0000000003696000.00000004.00000001.sdmpString found in binary or memory: http://mail.hemetek.com
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: QUOTATION REQUEST.exe, 00000000.00000002.211719629.0000000000CB8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              Spam, unwanted Advertisements and Ransom Demands:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: QUOTATION REQUEST.exe
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3EB700_2_00F3EB70
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3EB600_2_00F3EB60
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3CB5C0_2_00F3CB5C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06835AA73_2_06835AA7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06839BB83_2_06839BB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068350783_2_06835078
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0683F3CB3_2_0683F3CB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0683A3003_2_0683A300
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068324B83_2_068324B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068311083_2_06831108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068339383_2_06833938
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              Source: QUOTATION REQUEST.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: GtVSibeZGs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEXkkZFSEjYYVxfCzJogyqTqLgVaACqjcpHF.exe( vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.211719629.0000000000CB8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.214965035.0000000005020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.216250775.0000000006940000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.211308175.0000000000542000.00000002.00020000.sdmpBinary or memory string: OriginalFilename6 vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.216699272.0000000006A30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.216699272.0000000006A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212271069.0000000002B21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.215096302.00000000050B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_rc.dllT vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exeBinary or memory string: OriginalFilename6 vs QUOTATION REQUEST.exe
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@10/8@1/1
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMutant created: \Sessions\1\BaseNamedObjects\FZGqCPCXaSyGOD
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4576:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCA2.tmpJump to behavior
              Source: QUOTATION REQUEST.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: QUOTATION REQUEST.exe, 00000000.00000000.194037544.00000000003C2000.00000002.00020000.sdmpBinary or memory string: UPDATE [sms].[dbo].[person]set email=@email, street=@street, city=@city, district=@district, zip=@zip WHERE id=;Student Information updated!!
              Source: QUOTATION REQUEST.exeVirustotal: Detection: 52%
              Source: QUOTATION REQUEST.exeReversingLabs: Detection: 51%
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile read: C:\Users\user\Desktop\QUOTATION REQUEST.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION REQUEST.exe 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: QUOTATION REQUEST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: QUOTATION REQUEST.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: QUOTATION REQUEST.exeStatic file information: File size 1733120 > 1048576
              Source: QUOTATION REQUEST.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13d000
              Source: QUOTATION REQUEST.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000003.335768615.00000000063F7000.00000004.00000001.sdmp, lEmohP.exe, 00000007.00000000.271543605.0000000000642000.00000002.00020000.sdmp, lEmohP.exe, 00000010.00000002.290702396.00000000005A2000.00000002.00020000.sdmp, lEmohP.exe.3.dr
              Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: lEmohP.exe, 00000010.00000002.291188421.0000000002940000.00000002.00000001.sdmp
              Source: Binary string: RegSvcs.pdb source: lEmohP.exe, lEmohP.exe.3.dr

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: QUOTATION REQUEST.exe, ?R?Xa?U??b??/u?sXwvU?tjxKO.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.QUOTATION REQUEST.exe.3c0000.0.unpack, ?R?Xa?U??b??/u?sXwvU?tjxKO.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.QUOTATION REQUEST.exe.3c0000.0.unpack, ?R?Xa?U??b??/u?sXwvU?tjxKO.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F31C8B push ebx; iretd 0_2_00F31C7A
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3DF50 push eax; ret 0_2_00F3DF51
              Source: initial sampleStatic PE information: section name: .text entropy: 7.33255664693
              Source: initial sampleStatic PE information: section name: .text entropy: 7.33255664693
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeJump to dropped file
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run lEmohPJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run lEmohPJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.212271069.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QUOTATION REQUEST.exe PID: 5388, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 623Jump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 1112Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 5400Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 6140Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe TID: 5736Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe TID: 5172Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: RegSvcs.exe, 00000003.00000002.467684080.00000000063B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllurrentControlSet\Control\ProductOptions|ProductSuiteOSType
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Users\user\Desktop\QUOTATION REQUEST.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QUOTATION REQUEST.exe PID: 5388, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1564, type: MEMORY
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1564, type: MEMORY

              Remote Access Functionality:

              bar