Windows Analysis Report
Quotation For Inverter.exe

Overview

General Information

Sample name: Quotation For Inverter.exe
Analysis ID: 1446074
MD5: 9c45e536f5c88334f24cab2ab89ee21e
SHA1: 586564ab3bd5ea6c329d91af2cb90c62593cc5f9
SHA256: 26519d3b87b0bce9cacd121c6837fdf4e91500b52c14735068bb495f04fe1852
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.lucky-tours.com", "Username": "mohamed.sabry@lucky-tours.com", "Password": "Moh!@#123"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: Quotation For Inverter.exe ReversingLabs: Detection: 39%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Quotation For Inverter.exe Joe Sandbox ML: detected
Source: Quotation For Inverter.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: rXza.pdb source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr
Source: Binary string: rXza.pdbSHA256+ source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2139393756.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, J4qms1IPBw.cs .Net Code: m1HBzQVNvl
Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, J4qms1IPBw.cs .Net Code: m1HBzQVNvl
Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, J4qms1IPBw.cs .Net Code: m1HBzQVNvl
Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, J4qms1IPBw.cs .Net Code: m1HBzQVNvl

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Quotation For Inverter.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Code function: 0_2_00007FFD347D39B8 0_2_00007FFD347D39B8
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Code function: 0_2_00007FFD347D2C88 0_2_00007FFD347D2C88
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Code function: 0_2_00007FFD347D2BE8 0_2_00007FFD347D2BE8
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Code function: 0_2_00007FFD347D6DBA 0_2_00007FFD347D6DBA
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Code function: 0_2_00007FFD347D9B4C 0_2_00007FFD347D9B4C
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Code function: 0_2_00007FFD347D4380 0_2_00007FFD347D4380
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Code function: 11_2_00007FFD347F39B8 11_2_00007FFD347F39B8
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Code function: 11_2_00007FFD347F2C88 11_2_00007FFD347F2C88
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Code function: 11_2_00007FFD347F2BE8 11_2_00007FFD347F2BE8
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Code function: 11_2_00007FFD347F6DBA 11_2_00007FFD347F6DBA
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Code function: 11_2_00007FFD347F9B4C 11_2_00007FFD347F9B4C
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Code function: 11_2_00007FFD347F4380 11_2_00007FFD347F4380
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6496 -s 12
PE file does not import any functions
Source: KaCTPSocApHQCE.exe.0.dr Static PE information: No import functions for PE file found
Source: Quotation For Inverter.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Quotation For Inverter.exe, 00000000.00000002.2130759369.0000000001A40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAxiom.dll@ vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013BBF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAxiom.dll@ vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2130806953.0000000001A70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename07c9e81c-d51c-4388-94b3-3ce637764a81.exe4 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000000.2089158911.0000000000624000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamerXza.exe4 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.0000000004101000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.000000000414D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerS# vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename07c9e81c-d51c-4388-94b3-3ce637764a81.exe4 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2134871247.000000001DF10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename07c9e81c-d51c-4388-94b3-3ce637764a81.exe4 vs Quotation For Inverter.exe
Source: Quotation For Inverter.exe Binary or memory string: OriginalFilenamerXza.exe4 vs Quotation For Inverter.exe
Yara signature match
Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Quotation For Inverter.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KaCTPSocApHQCE.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, Lds5plxAPDj.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, LZYJybC.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, wDxPSW1p.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, E0w8WLnyggK.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, ZBSJHga2buE.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, M4oIYVa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, kSS2HMsB8.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, kSS2HMsB8.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/11@0/0
Source: C:\Users\user\Desktop\Quotation For Inverter.exe File created: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Mutant created: \Sessions\1\BaseNamedObjects\oKANYrPniqsnxP
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476
Source: C:\Users\user\Desktop\Quotation For Inverter.exe File created: C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp Jump to behavior
Source: Quotation For Inverter.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Quotation For Inverter.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Quotation For Inverter.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\Quotation For Inverter.exe File read: C:\Users\user\Desktop\Quotation For Inverter.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quotation For Inverter.exe "C:\Users\user\Desktop\Quotation For Inverter.exe"
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6496 -s 12
Source: unknown Process created: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5476 -s 12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Quotation For Inverter.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Quotation For Inverter.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Quotation For Inverter.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Quotation For Inverter.exe Static file information: File size 1089024 > 1048576
Source: Quotation For Inverter.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Quotation For Inverter.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: rXza.pdb source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr
Source: Binary string: rXza.pdbSHA256+ source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Quotation For Inverter.exe, Form11.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: KaCTPSocApHQCE.exe.0.dr, Form11.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Binary contains a suspicious time stamp
Source: Quotation For Inverter.exe Static PE information: 0xE3CFB179 [Sun Feb 11 13:36:57 2091 UTC]
Source: Quotation For Inverter.exe Static PE information: section name: .text entropy: 7.932481409512327
Source: KaCTPSocApHQCE.exe.0.dr Static PE information: section name: .text entropy: 7.932481409512327
Drops PE files
Source: C:\Users\user\Desktop\Quotation For Inverter.exe File created: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Memory allocated: E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Memory allocated: 1BBB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Memory allocated: AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Memory allocated: 1AF60000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5452 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4379 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Quotation For Inverter.exe TID: 612 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6884 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe TID: 5320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F252000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe" Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Thread register set: target process: 6496 Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Thread register set: target process: 5476 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 630A22010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 607A1CB010 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Queries volume information: C:\Users\user\Desktop\Quotation For Inverter.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Queries volume information: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation For Inverter.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation For Inverter.exe PID: 2744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KaCTPSocApHQCE.exe PID: 2792, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation For Inverter.exe PID: 2744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KaCTPSocApHQCE.exe PID: 2792, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation For Inverter.exe PID: 2744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KaCTPSocApHQCE.exe PID: 2792, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446074 Sample: Quotation For Inverter.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 11 other signatures 2->46 7 Quotation For Inverter.exe 7 2->7         started        11 KaCTPSocApHQCE.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\KaCTPSocApHQCE.exe, PE32+ 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmpBEAB.tmp, XML 7->38 dropped 48 Writes to foreign memory regions 7->48 50 Modifies the context of a thread in another process (thread injection) 7->50 52 Adds a directory exclusion to Windows Defender 7->52 13 powershell.exe 23 7->13         started        16 schtasks.exe 1 7->16         started        18 RegSvcs.exe 7->18         started        54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 20 schtasks.exe 1 11->20         started        22 RegSvcs.exe 11->22         started        signatures5 process6 signatures7 58 Loading BitLocker PowerShell Module 13->58 24 WmiPrvSE.exe 13->24         started        26 conhost.exe 13->26         started        28 conhost.exe 16->28         started        30 WerFault.exe 2 18->30         started        32 conhost.exe 20->32         started        34 WerFault.exe 4 22->34         started        process8
No contacted IP infos