31.0.0 Emerald
IR
347605
CloudBasic
20:15:00
02/02/2021
QuotationTXCtyres.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
683bd9bd416a67e5b14c59668ead6de8
476275961878e53692cdbf7a887d6f6f61c27eee
6f8bb9d51ef192747d5393e13349bb03f272f5a947de849835709502ef09ef68
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QuotationTXCtyre_5b15cfdc4f612f9064aeb4aec970f0159d8e17c1_808a50c5_1abcf7fa\Report.wer
false
B8CF24D51C3C72B8C90FF3C37E9E7AB6
B9D17CFE8922502EFEF1C96450F07DEA40598FB3
3606AAAB412CC4077745A8448003A2CE3D1A411913EF1816A4BC125A6E7F225B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER230B.tmp.dmp
false
EFB34C5248779B55A2335E7FC5C7BCC0
389FEC2391B4731B80860D1D52FBEB831A1029E7
7573E92E2C98CD2406A5D7659C8469CE3734435DBC35964E6B6CC99978AAB020
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB049.tmp.WERInternalMetadata.xml
false
9AD2FA37790B94866363DDFE3A445FCD
7990BE44B7EA92CB24DBFAB9FA6F21E2FE9381EE
B1AFF504E6C7BAC6175BC97366309352A67CCAA67BB5EB512BB9080B2079B111
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC086.tmp.xml
false
F2A2059D3EDDD5A1AA8FB21889E0A3A9
6275B0929638BBF1D83063554D7CBA92A35C18E7
44F689B99C389D333FE8293A28C0C2BF78AE2738178208AE037CB3DAD38081D1
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
846855EBF95A4F17B23F273AD7971D2A
0479F57F9BEE280AE62EE4672A0D0805A39A895A
322D88ED4DDA001B4D90DCA76D062B3C1BA2CAEFCF0450C0953C54DBA56FEDC2
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11cayev4.bax.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uk2hlpg.2lo.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrpgrtce.j2h.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_md0ng4yz.md3.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgcjwta5.qa2.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj15usfh.5ry.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trtlbzzv.ezr.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xp0dmdgo.4km.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe
true
683BD9BD416A67E5B14C59668EAD6DE8
476275961878E53692CDBF7A887D6F6F61C27EEE
6F8BB9D51EF192747D5393E13349BB03F272F5A947DE849835709502EF09EF68
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\pid.txt
false
D6539D3B57159BABF6A72E106BEB45BD
7300CC41B7D390E645B6CBB2369487CDCA758B17
0351A84BE4ABB9C01CCB9A423F06B7971E6B460039A2157343168AC5D21E3A94
C:\Users\user\AppData\Roaming\pidloc.txt
false
38256E1C7BCD5F6C3C7B874DF2156D1D
27EDB23AE9B7A3506EDA73F2AC377450F16FE106
865B49D49B0497D9E3B90874B806590C2F51CA8045148940F899401C527254EC
C:\Users\user\Documents\20210202\PowerShell_transcript.760639.+YxYN0EN.20210202201613.txt
false
FFD3738448C6D834E7F4400FBCDB35F6
73AAD41F1880EA4E708D6CF437F4AFFBE9750016
072BA078ADAA97897107FEA6F956D529A9524BD257CD5B66AF2B4E82E03C8C55
C:\Users\user\Documents\20210202\PowerShell_transcript.760639.Vs0JZx_v.20210202201614.txt
false
54934362AC50178AB301C66908F01D23
2BFAAD19C82F300052497B638FE62B965CF4D507
24C761BFD4EF9479C0871081B06AC44C647ABD7EBD2E97B15194D6D209F964E0
C:\Users\user\Documents\20210202\PowerShell_transcript.760639.aeTluj22.20210202201613.txt
false
D799B90384D7B74632F5004A18C75D4B
EA1350BA53DF3F3961AD322B5C4EF5B12D34879E
1562D97B4B2348A3784E7D5864ACD075FB1FFFDF798A8280279CEB111F2D8BD1
C:\Users\user\Documents\20210202\PowerShell_transcript.760639.n8KH4wHy.20210202201612.txt
false
4CFB83B0048E9D603491CB066EFF3FD7
A094919AC3B5A694D3D06477596A66A9F3797295
D97F1B36B9314EE2A9E84C7A453B23068EAFCDEBB54AE63DD8FC22DABA4446E3
192.168.2.1
104.23.98.190
mail.privateemail.com
false
198.54.122.60
pastebin.com
false
104.23.98.190
63.155.11.0.in-addr.arpa
true
unknown
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected WebBrowserPassView password recovery tool
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected HawkEye Keylogger
Yara detected MailPassView