Loading ...

Play interactive tourEdit tour

Analysis Report SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Overview

General Information

Sample Name:SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Analysis ID:432708
MD5:d482d04bd4113f1f9f08e39bca4a3f27
SHA1:783f25f265c34681ffca9e5c8ac5bebecc71bbc6
SHA256:9973c00cf203198a16d3d897fa85d46896f04ea9d58b23917eaea32a3de4d5e4
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SAUDI ARAMCO Tender Documents - BOQ and ITB.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' MD5: D482D04BD4113F1F9F08E39BCA4A3F27)
    • schtasks.exe (PID: 6824 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6904 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "admin@dangotesugars.com08102186737CEOus2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Process Start Without DLLShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' , ParentImage: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, ParentProcessId: 6556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6904
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' , ParentImage: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, ParentProcessId: 6556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6904

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "admin@dangotesugars.com08102186737CEOus2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeReversingLabs: Detection: 15%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeVirustotal: Detection: 30%Perma Link
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeReversingLabs: Detection: 15%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeJoe Sandbox ML: detected
                      Source: 5.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb< source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0E80DB38
                      Source: global trafficTCP traffic: 192.168.2.6:49756 -> 208.91.199.223:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                      Source: global trafficTCP traffic: 192.168.2.6:49756 -> 208.91.199.223:587
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369600695.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://xaqngD.com
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://Tw98FI5QiWYWE4R7ojW.com
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4FF9C728u002d7C57u002d40C2u002dBE9Cu002d6335DB58B1AFu007d/B8E47775u002d22E9u002d4EE8u002d9FD7u002d974F8284310E.csLarge array initialization: .cctor: array initializer size 11966
                      Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4FF9C728u002d7C57u002d40C2u002dBE9Cu002d6335DB58B1AFu007d/B8E47775u002d22E9u002d4EE8u002d9FD7u002d974F8284310E.csLarge array initialization: .cctor: array initializer size 11966
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0313C2B01_2_0313C2B0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_031399701_2_03139970
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_09257A601_2_09257A60
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925ACD01_2_0925ACD0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925BFF81_2_0925BFF8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925CEF81_2_0925CEF8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925B5781_2_0925B578
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925E9001_2_0925E900
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_09257A511_2_09257A51
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925AFB01_2_0925AFB0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925EFC81_2_0925EFC8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925F1E81_2_0925F1E8
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_092500061_2_09250006
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_092500401_2_09250040
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925A0E11_2_0925A0E1
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0925F4281_2_0925F428
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_092574A01_2_092574A0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_092574B01_2_092574B0
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E8086501_2_0E808650
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E8094201_2_0E809420
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E80CC781_2_0E80CC78
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCode function: 1_2_0E808D801_2_0E808D80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0EDB05_2_00F0EDB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F041805_2_00F04180
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0CD805_2_00F0CD80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F042DD5_2_00F042DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F09F285_2_00F09F28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0AE005_2_00F0AE00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015646A05_2_015646A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01563D505_2_01563D50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015646725_2_01564672
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015646905_2_01564690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0156D2E05_2_0156D2E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06066C605_2_06066C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060675305_2_06067530
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060690F05_2_060690F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060669185_2_06066918
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060624B05_2_060624B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0606BED8 appears 46 times
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWvRNvQqDKFGGvAlWFhquDEcwrJemX.exe4 vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.377690232.000000000ED90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.368738849.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRegistryValueOptions.exeZ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.376636365.00000000090B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.378103149.000000000EE80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.378103149.000000000EE80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeBinary or memory string: OriginalFilenameRegistryValueOptions.exeZ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: sXNiyYIFndkxd.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@2/1
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeMutant created: \Sessions\1\BaseNamedObjects\jGmaaFOdSHSnPJ
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2894.tmpJump to behavior
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeVirustotal: Detection: 30%
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeReversingLabs: Detection: 15%
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile read: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe'
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb< source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: sXNiyYIFndkxd.exe.1.dr, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.de0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.de0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_3_05E0A011 push eax; retf 5_3_05E0A017
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F0888A push 8BFFFFFFh; retf 5_2_00F08890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0606A61F push es; iretd 5_2_0606A63C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0606ED73 push eax; ret 5_2_0606EE51
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86709142883
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86709142883
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exe
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exeJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: \saudi aramco tender documents - boq and itb.exeJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeFile created: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex