Windows Analysis Report
rQuotation3200025006.exe

Overview

General Information

Sample name: rQuotation3200025006.exe
Analysis ID: 1520520
MD5: 36c4bff0f1cdcda62da9229500ca1e38
SHA1: de74dbf7bac85a3a06c7038a4d4241389e6a5c8f
SHA256: fda83ecb5bd6a07dedaf6be0fce7c626e21e9df94d82ddb905460e9d6a25a162
Tags: AgentTeslaexeuser-Porcupine
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: rQuotation3200025006.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rQuotation3200025006.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: rQuotation3200025006.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: rQuotation3200025006.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 4x nop then jmp 06CC57B2h 0_2_06CC4D7B
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 4x nop then jmp 06CC57B2h 0_2_06CC4ECD
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 4x nop then jmp 06CC57B2h 0_2_06CC4EE4
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 4x nop then jmp 06AC4AAAh 9_2_06AC4073
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 4x nop then jmp 06AC4AAAh 9_2_06AC41C5
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 4x nop then jmp 06AC4AAAh 9_2_06AC41DC
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 4x nop then jmp 066D4AAAh 16_2_066D4073
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 4x nop then jmp 066D4AAAh 16_2_066D41C5
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 4x nop then jmp 066D4AAAh 16_2_066D41DC
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 4x nop then jmp 07274AAAh 25_2_07274073
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 4x nop then jmp 07274AAAh 25_2_072741C5
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 4x nop then jmp 07274AAAh 25_2_072741DC

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49753 -> 110.4.45.197:51497
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49746 -> 110.4.45.197:53334
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49751 -> 110.4.45.197:21
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49756 -> 110.4.45.197:21
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49741 -> 110.4.45.197:21
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49757 -> 110.4.45.197:55730
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 110.4.45.197 ports 65186,64130,59960,61524,61759,53786,55824,55768,51546,61163,57406,65361,64095,62561,62089,1,53694,52440,2,56668,53334,58620,51497,55730,55438,60182,52328,21,55958
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 110.4.45.197:53694
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses FTP
Source: unknown FTP traffic detected: 110.4.45.197:21 -> 192.168.2.4:49737 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ftp.haliza.com.my
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000036EA000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.0000000003634000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.0000000003496000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.haliza.com.my
Source: rQuotation3200025006.exe, 00000000.00000002.1732045998.0000000002701000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 00000009.00000002.1841537852.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000010.00000002.1901166814.0000000002521000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.1979059945.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: rQuotation3200025006.exe, 00000000.00000002.1735717457.0000000005030000.00000004.00000020.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, SKTzxzsJw.cs .Net Code: _71ZRqC1D
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, SKTzxzsJw.cs .Net Code: _71ZRqC1D
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_0692C628 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0692D458,00000000,00000000 8_2_0692C628
Installs a global keyboard hook
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\rQuotation3200025006.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
.NET source code contains very large array initializations
Source: rQuotation3200025006.exe, MainMenu.cs Large array initialization: : array initializer size 590396
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: rQuotation3200025006.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_008AF2E4 0_2_008AF2E4
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBB7E8 0_2_04BBB7E8
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBE7D8 0_2_04BBE7D8
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBB7D8 0_2_04BBB7D8
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBE7CB 0_2_04BBE7CB
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBE3A0 0_2_04BBE3A0
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBE39B 0_2_04BBE39B
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBEC10 0_2_04BBEC10
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BB5E28 0_2_04BB5E28
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BB5E18 0_2_04BB5E18
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_06CC0E70 0_2_06CC0E70
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_06CC0A38 0_2_06CC0A38
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_02A6EA08 8_2_02A6EA08
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_02A64A68 8_2_02A64A68
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_02A63E50 8_2_02A63E50
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_02A6ADA0 8_2_02A6ADA0
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_02A64198 8_2_02A64198
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_060B1540 8_2_060B1540
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_060B1550 8_2_060B1550
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_0692C76C 8_2_0692C76C
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_069239C4 8_2_069239C4
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_069262D7 8_2_069262D7
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_069255E3 8_2_069255E3
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_069255E8 8_2_069255E8
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_069239B8 8_2_069239B8
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_06937E90 8_2_06937E90
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_069356A8 8_2_069356A8
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_06936700 8_2_06936700
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_06932758 8_2_06932758
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_0693B348 8_2_0693B348
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_06935E08 8_2_06935E08
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_069377B0 8_2_069377B0
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_0693E4C8 8_2_0693E4C8
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_06930040 8_2_06930040
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 8_2_0693003F 8_2_0693003F
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 9_2_00D2F2E4 9_2_00D2F2E4
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 9_2_06AC0E70 9_2_06AC0E70
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 9_2_06AC0A38 9_2_06AC0A38
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_018CE9F8 14_2_018CE9F8
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_018C4A68 14_2_018C4A68
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_018CAD90 14_2_018CAD90
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_018C3E50 14_2_018C3E50
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_018C4198 14_2_018C4198
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_07086700 14_2_07086700
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_07087E90 14_2_07087E90
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_070856A8 14_2_070856A8
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_07083578 14_2_07083578
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_0708B343 14_2_0708B343
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_0708274B 14_2_0708274B
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_070877B0 14_2_070877B0
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_07085DF7 14_2_07085DF7
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_0708E4C8 14_2_0708E4C8
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_07080040 14_2_07080040
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_0708003F 14_2_0708003F
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_00B0F2E4 16_2_00B0F2E4
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_066D0E70 16_2_066D0E70
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_066D2780 16_2_066D2780
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_066D0A38 16_2_066D0A38
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_03024A68 22_2_03024A68
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_03023E50 22_2_03023E50
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_0302AC70 22_2_0302AC70
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_03024198 22_2_03024198
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_0302E9C1 22_2_0302E9C1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_06F13580 22_2_06F13580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_06F10040 22_2_06F10040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_06F177B8 22_2_06F177B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 22_2_06F10006 22_2_06F10006
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_02CDF2E4 25_2_02CDF2E4
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_05420508 25_2_05420508
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_05420518 25_2_05420518
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_05421D31 25_2_05421D31
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_07270E70 25_2_07270E70
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_07270A38 25_2_07270A38
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_032C4A68 28_2_032C4A68
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_032CE8D8 28_2_032CE8D8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_032C3E50 28_2_032C3E50
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_032C4198 28_2_032C4198
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_032C1990 28_2_032C1990
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071AC3FC 28_2_071AC3FC
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071A52A8 28_2_071A52A8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071A52A2 28_2_071A52A2
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B6708 28_2_071B6708
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B7E98 28_2_071B7E98
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B56B0 28_2_071B56B0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B3580 28_2_071B3580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B0040 28_2_071B0040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B77B8 28_2_071B77B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B5DFF 28_2_071B5DFF
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071BE4D0 28_2_071BE4D0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_071B001D 28_2_071B001D
Sample file is different than original file name gathered from version info
Source: rQuotation3200025006.exe, 00000000.00000002.1731067314.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe, 00000000.00000002.1738225361.0000000006F70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe, 00000000.00000000.1676301194.0000000000290000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBWmX.exeD vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe, 00000000.00000002.1739676085.0000000007710000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBWmX.exeD vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.0000000003924000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe, 00000000.00000002.1732045998.0000000002701000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe, 00000008.00000002.4157176054.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rQuotation3200025006.exe
Source: rQuotation3200025006.exe Binary or memory string: OriginalFilenameBWmX.exeD vs rQuotation3200025006.exe
Uses 32bit PE files
Source: rQuotation3200025006.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: rQuotation3200025006.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pBBqGOzrz.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.cs Security API names: _0020.SetAccessControl
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.cs Security API names: _0020.AddAccessRule
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, SIQfwITd9ei2CpANlp.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@39/20@2/2
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_03
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Mutant created: \Sessions\1\BaseNamedObjects\dUNTqlHSZjNOL
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File created: C:\Users\user\AppData\Local\Temp\tmp3D2.tmp Jump to behavior
Source: rQuotation3200025006.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rQuotation3200025006.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rQuotation3200025006.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File read: C:\Users\user\Desktop\rQuotation3200025006.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe"
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe" Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe" Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp"
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: rQuotation3200025006.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rQuotation3200025006.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: rQuotation3200025006.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.rQuotation3200025006.exe.4fb0000.4.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.rQuotation3200025006.exe.26e8b6c.0.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.cs .Net Code: ouhZd92ZvS System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BBFC58 pushfd ; retf 0_2_04BBFC5A
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_04BB1888 pushad ; retf 0_2_04BB1889
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_06CC4710 push eax; retf 0_2_06CC4711
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_06CC7B85 push FFFFFF8Bh; iretd 0_2_06CC7B87
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Code function: 0_2_06CC4B83 pushad ; iretd 0_2_06CC4B85
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 9_2_06AC5168 pushad ; iretd 9_2_06AC5169
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 9_2_06AC6F2D push FFFFFF8Bh; iretd 9_2_06AC6F2F
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_018CF8E8 pushad ; retf 14_2_018CF8F1
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Code function: 14_2_018C0C55 push edi; retf 14_2_018C0C7A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_066D6F2D push FFFFFF8Bh; iretd 16_2_066D6F2F
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_066D5168 pushad ; iretd 16_2_066D5169
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_05426105 push esi; iretd 25_2_05426106
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 25_2_07276E6D push FFFFFF8Bh; iretd 25_2_07276E6F
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 28_2_032CF7C8 pushad ; retf 28_2_032CF7D1
Source: rQuotation3200025006.exe Static PE information: section name: .text entropy: 7.946103748533992
Source: pBBqGOzrz.exe.0.dr Static PE information: section name: .text entropy: 7.946103748533992
Source: 0.2.rQuotation3200025006.exe.4fb0000.4.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.rQuotation3200025006.exe.26e8b6c.0.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, wMS4Kp4PS7QXLDwFba.cs High entropy of concatenated method names: 'GPa0KfIwhl', 's1L0kRMuS2', 'NEI0Rp8qmY', 'hEA0DmCcjC', 'Qs105gGPF0', 'JoT0cSEOwq', 'gs70OQEa2N', 'jv80LkQslm', 'KTw0Un7g5y', 'twv0wQKHVw'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, TAKKyQpcGnSdH0xi7T.cs High entropy of concatenated method names: 'AMbquEdkgh', 'EN9qXGFR8O', 'b7MqybfdBC', 'eiXyPfVVIK', 'E30yzTD3u3', 'sYqqGSICpi', 'aHFqBwBv5b', 'WRUqVlu65H', 'AnLqrBxRG2', 'CEhqZ0721q'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, nKwRxOEJXPmCwrdxu7.cs High entropy of concatenated method names: 'KVWdThSED', 'GdpYV7TKo', 'QoMo7s1Zs', 'JUxAwQhTZ', 'nqYk6UE8P', 'JdYvn4hiY', 'EAGGHqd9EgXB7jraa8', 'vQE8wR5IQhYq0hC6yX', 'MX5e7sotc', 'gTZ1nvpE6'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, GJOr6KCN4jXCBadg9n.cs High entropy of concatenated method names: 'c4jyjxpgId', 'DX8yIAX1Xv', 'xDNyQ6d15x', 'c5UyqjLpqH', 'WqkyH0jGM2', 'JtGQ3jArKF', 'fYIQhtaP47', 'ysvQEBTbma', 'QEpQtjKGlE', 'w2GQis3dFf'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, JSvpK7PbC3ADjp6YBha.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LAp1FZm3Yj', 'dg41MWYkhc', 'NEI14RQHmh', 'BKY1snDrQ8', 'CEZ13BkKip', 'aCc1hRVQ9Y', 'GJ31Eu0yvO'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, daS1DKPWJeoLefLlWoA.cs High entropy of concatenated method names: 'zbZpgL6Hjl', 'Nyhplswj0a', 'hZmpdVGxGR', 'tSNpYeuwV5', 'EhUpJ4F0JR', 'F3Tpob1PSo', 'ksspAeJCEO', 'cjDpKwsZn5', 'hcypkSTjYV', 'NXmpvFlKmU'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, PyH0ExoJb7qhW6t6e0.cs High entropy of concatenated method names: 'tX0ntVYDlc', 'AXSnPSNe1P', 'ampeGI5mjS', 'WULeBcKmJQ', 'jtjnwZ2ZG6', 'LaQn6GfHox', 'gWKnbAHOHS', 'veunFBgDBM', 'MHlnMRBX8h', 'dexn4ZuktS'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.cs High entropy of concatenated method names: 'liirjhkj6a', 'cNhru5avY3', 'Gn6rIVUWn3', 'RgjrX9Jjha', 'F2vrQXJYMk', 'xytryolMZP', 'yggrqi1E0k', 'TWArH3TW69', 'FZIraDZIYt', 'wifr8NpYFs'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, SIQfwITd9ei2CpANlp.cs High entropy of concatenated method names: 'pQDIFusNum', 'cmPIM6Or55', 'ex3I4ZgLkW', 'UpXIswQFrs', 'jyGI3FVxnK', 'b9DIhsPulk', 'U6IIEdvaEM', 'vYdItAF6DL', 'HIKIiiTltH', 'doEIPK629q'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, AlgpF0sIMI7wBJ03Gu.cs High entropy of concatenated method names: 'AELpBKGQsO', 'sqJprkPo4o', 'og8pZ39RM4', 'o8WpuhuwR5', 'CWnpIRHmag', 'TrDpQY3hdW', 'H8VpyaYXBt', 'UkieEp5Mei', 'RSjetoDFPm', 'M8ueiY9Tv5'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, A99IY269OrPLqVFrp2.cs High entropy of concatenated method names: 'VWnQJNfWBW', 'v0hQALLcqH', 'GilXmHukg6', 'G0uX5W1cYN', 'TyjXc3AY6b', 'GUdXSnoV37', 'Jw2XOw11mR', 'yEkXLxAFD5', 'sNfXC7fh4w', 'fvHXUCBILP'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, jy272HJXpTWWhUZ0r3.cs High entropy of concatenated method names: 'eViXYOW3rR', 'CLUXokd0fa', 'spFXKTBYHt', 'YwPXkXByRW', 'nLaXTtwSZj', 'zHGX9eDSND', 'GXIXnZTY7a', 'c6aXe4jigC', 'QtsXp9R8wI', 'DUnX1gArEW'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, yUXuXNUq68P96YSGRh.cs High entropy of concatenated method names: 'Dispose', 'tDpBipLP9D', 'aTFVDRF0cm', 'Uc1xx1lYd4', 'k4yBPx91Au', 'S9ZBzBhCMu', 'ProcessDialogKey', 'F1SVGp5Zl9', 'vNHVBKayAi', 'ziRVVYSItn'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, vpCmup94T7VrxmPluJ.cs High entropy of concatenated method names: 'ToString', 'C7R9wLoLx6', 'bc69DxrQMw', 'NIk9mQtVNn', 'eLw95IwZun', 'hP79cb1omf', 'T239S70NAo', 'cUV9OwjF9a', 'VyT9L12h06', 'fHt9CXOlSJ'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, nn0B2Ei9tlVnIbvlnQ.cs High entropy of concatenated method names: 'PKOqgA3dKi', 'bvDqlLnOkX', 'TBEqddkUxe', 'wiAqYuRSj4', 'IoWqJidZLS', 'uiWqoIGN28', 'VlBqA2joqV', 'TYFqKjDTgV', 'dlfqkE8Yqf', 't3SqvoGdJK'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, astpH0IZwtMO22Sbdr.cs High entropy of concatenated method names: 'rGWeuX4peC', 'IwaeI5wHSi', 'fJReX62T2l', 'gEveQZkvZF', 'cj6eyspwy4', 'dAIeqVk9rB', 'Rj5eHalvte', 'BVbeaIEYHX', 'Iufe8yDHwg', 'PLRe7vyQx0'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, IsXVmmk7SsweRGxjwD.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CCpVi9kBDY', 'zf4VPmQ3fT', 'yJQVzDJk4P', 'j9krGKrrWH', 'v2qrB1Y7xQ', 'MBGrV3xpEc', 'USprr8fDJD', 'Kd559AYYiqVDk2EXsTc'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, uGs8lVOZpO8VCg0kB1.cs High entropy of concatenated method names: 'rlUTUCYMft', 'n3jT6IsyPB', 'oVgTFiq9Fp', 'eXrTM8R9BX', 'uDcTDMnNyi', 'sUuTmtow7h', 'CCwT56xB2S', 'a2mTcNsqA8', 'RyETSmMEl4', 'jC6TOwShGk'
Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, OWdE7xw0tiiGCQCYNU.cs High entropy of concatenated method names: 'qeSBqjCPlZ', 'Q2dBHUnVTJ', 'WbOB8s7lbK', 'zeWB7DCKVY', 'gYPBTn7q4J', 'OY7B9oC5ZK', 'GlTAKmQGI5iXqkYVxQ', 'Yloi4TMxjBLjKV7ToY', 'H0uBBMWCV4', 'iSjBra1CpO'
Drops PE files
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Jump to dropped file
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp"
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 8A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 26B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 2560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 7800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 8800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 89C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 99C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 1190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 2C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: 1190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: D20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 26A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 2500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 72F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 82F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 8490000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 9490000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 18C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 34B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory allocated: 32F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 24D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 22C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 7280000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 8280000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 8430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 9430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 3020000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 31F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 51F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 2C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 2ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 2D10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 7C40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 8C40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 8DF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 9DF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 32C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 3360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 5360000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598889 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598561 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598451 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598002 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597789 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597683 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597553 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597308 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596640 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596417 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596187 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595968 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595749 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595639 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595410 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595279 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595169 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594864 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594585 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594468 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594244 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599859
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599421
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598726
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598499
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598171
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598059
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597317
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597165
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597049
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596697
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596574
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596302
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595949
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595268
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595146
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594450
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594343
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594234
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594125
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594015
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593906
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593794
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593687
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593578
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593464
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593310
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599768
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599454
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596260
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596142
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595905
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595791
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595679
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595575
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595358
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599654
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598994
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598668
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598339
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596915
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595934
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595828
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595718
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595609
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595500
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595390
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595281
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595171
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594839
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594625
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7917 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1660 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7848 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1809 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Window / User API: threadDelayed 3835 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Window / User API: threadDelayed 6006 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Window / User API: threadDelayed 2702
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Window / User API: threadDelayed 7150
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 5038
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 3268
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 2671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 7188
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 6800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6416 Thread sleep count: 7917 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1004 Thread sleep count: 1660 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598999s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598561s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598451s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -598002s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -597789s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -597683s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -597553s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -597422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -597308s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -597187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -597078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596417s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -596078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595639s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595410s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595279s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -595169s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594864s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594585s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594244s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372 Thread sleep time: -594015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7280 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599859s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599750s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599640s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599531s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599421s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599312s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599203s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -599093s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598874s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598726s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598609s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598499s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598390s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598281s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598171s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -598059s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -597953s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -597843s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -597317s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -597165s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -597049s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596921s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596697s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596574s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596468s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596302s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596171s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595949s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595843s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595624s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595515s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595268s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -595146s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -594450s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -594343s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -594234s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -594125s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -594015s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -593906s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -593794s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -593687s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -593578s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -593464s >= -30000s
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728 Thread sleep time: -593310s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7872 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7148 Thread sleep count: 5038 > 30
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7148 Thread sleep count: 3268 > 30
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599768s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599640s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599454s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599217s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598671s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598125s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597796s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596921s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596593s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596484s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596375s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596260s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596142s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -595905s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -595791s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -595679s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -595575s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -595468s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100 Thread sleep time: -595358s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 352 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599654s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599327s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598994s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598668s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598339s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598125s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596915s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596593s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596484s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596375s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596265s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596156s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -596046s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595934s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595828s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595718s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595609s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595500s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595390s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595281s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595171s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -595062s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -594839s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -594734s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424 Thread sleep time: -594625s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rQuotation3200025006.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598889 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598561 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598451 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 598002 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597789 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597683 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597553 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597308 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596640 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596417 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596187 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595968 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595749 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595639 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595410 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595279 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 595169 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594864 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594585 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594468 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594244 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Thread delayed: delay time: 594015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599859
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599421
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598726
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598499
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598171
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 598059
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597317
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597165
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 597049
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596697
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596574
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596302
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595949
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595268
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 595146
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594450
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594343
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594234
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594125
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 594015
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593906
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593794
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593687
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593578
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593464
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Thread delayed: delay time: 593310
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599768
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599454
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596260
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596142
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595905
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595791
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595679
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595575
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595358
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599654
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598994
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598668
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598339
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596915
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595934
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595828
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595718
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595609
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595500
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595390
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595281
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595171
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594839
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594625
Source: rQuotation3200025006.exe, 00000008.00000002.4158424515.0000000000F54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: sgxIb.exe, 0000001C.00000002.4158194442.000000000181E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: pBBqGOzrz.exe, 0000000E.00000002.4157797826.000000000168A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: sgxIb.exe, 00000016.00000002.1959190035.00000000015C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe" Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Memory written: C:\Users\user\Desktop\rQuotation3200025006.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Memory written: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe" Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe" Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Process created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp"
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Process created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q3<b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: <html>Time: 10/15/2024 03:01:59<br>User Name: user<br>Computer Name: 849224<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>{Win}r</html>
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR^q
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q8<b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>{Win}THcq
Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q9<b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>{Win}rTHcq
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Users\user\Desktop\rQuotation3200025006.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Users\user\Desktop\rQuotation3200025006.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rQuotation3200025006.exe PID: 2756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pBBqGOzrz.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 8012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 7188, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\rQuotation3200025006.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rQuotation3200025006.exe PID: 2756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pBBqGOzrz.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 8012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 7188, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rQuotation3200025006.exe PID: 2756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pBBqGOzrz.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 8012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 7188, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520520 Sample: rQuotation3200025006.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 65 ftp.haliza.com.my 2->65 67 api.ipify.org 2->67 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 12 other signatures 2->79 8 rQuotation3200025006.exe 7 2->8         started        12 pBBqGOzrz.exe 2->12         started        14 sgxIb.exe 2->14         started        16 sgxIb.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\Roaming\pBBqGOzrz.exe, PE32 8->57 dropped 59 C:\Users\...\pBBqGOzrz.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\Temp\tmp3D2.tmp, XML 8->61 dropped 63 C:\Users\...\rQuotation3200025006.exe.log, ASCII 8->63 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->95 97 Contains functionality to register a low level keyboard hook 8->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 8->99 101 Adds a directory exclusion to Windows Defender 8->101 18 rQuotation3200025006.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        33 2 other processes 8->33 103 Multi AV Scanner detection for dropped file 12->103 105 Machine Learning detection for dropped file 12->105 107 Injects a PE file into a foreign processes 12->107 25 pBBqGOzrz.exe 12->25         started        35 2 other processes 12->35 27 sgxIb.exe 14->27         started        37 4 other processes 14->37 29 sgxIb.exe 16->29         started        31 schtasks.exe 16->31         started        signatures6 process7 dnsIp8 69 ftp.haliza.com.my 110.4.45.197, 21, 49736, 49737 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 18->69 71 api.ipify.org 104.26.12.205, 443, 49733, 49740 CLOUDFLARENETUS United States 18->71 53 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 18->53 dropped 55 C:\Users\user\...\sgxIb.exe:Zone.Identifier, ASCII 18->55 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->81 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 87 Loading BitLocker PowerShell Module 23->87 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        89 Tries to harvest and steal ftp login credentials 29->89 91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 93 Installs a global keyboard hook 29->93 43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
110.4.45.197
 ftp.haliza.com.my Malaysia
46015 EXABYTES-AS-APExaBytesNetworkSdnBhdMY true

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true
ftp.haliza.com.my 110.4.45.197 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown