Windows Analysis Report
QUOTATIONS#08670.exe

Overview

General Information

Sample name: QUOTATIONS#08670.exe
Analysis ID: 1524956
MD5: b88a9908634769557e2b6396f634c4ae
SHA1: 49ee7bf7463600dd8cd4b650ac0644c1a4ffb239
SHA256: fa7d9ffd715033a0b922b2b65f1fa6da05bb9feafe1432a9cc0863f7f640a3f9
Tags: exeuser-threatcat_ch
Infos:

Detection

AgentTesla, DarkTortilla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

AV Detection
barindex
Found malware configuration
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "me@ercolina-usa.com", "Password": "uy,o#mZj8$lY"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe ReversingLabs: Detection: 23%
Multi AV Scanner detection for submitted file
Source: QUOTATIONS#08670.exe ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: QUOTATIONS#08670.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: QUOTATIONS#08670.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.11:62916 version: TLS 1.2
Source: QUOTATIONS#08670.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.254.225.136 192.254.225.136
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses FTP
Source: unknown FTP traffic detected: 192.254.225.136:21 -> 192.168.2.11:62918 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ftp.ercolina-usa.com
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ercolina-usa.com
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.ercolina-usa.com
Source: newapp.exe, 00000009.00000002.2570999762.0000000000B37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: newapp.exe, 00000009.00000002.2570999762.0000000000B37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.cinkI
Source: newapp.exe, 00000009.00000002.2605752686.0000000005EE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 62916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62916
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.11:62916 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, SKTzxzsJw.cs .Net Code: kwpilQkK
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, SKTzxzsJw.cs .Net Code: kwpilQkK
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, SKTzxzsJw.cs .Net Code: kwpilQkK
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, SKTzxzsJw.cs .Net Code: kwpilQkK
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, SKTzxzsJw.cs .Net Code: kwpilQkK
Installs a global keyboard hook
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\QUOTATIONS#08670.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: QUOTATIONS#08670.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07929CD0 CreateProcessAsUserW, 0_2_07929CD0
Detected potential crypto function
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_008F86F9 0_2_008F86F9
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_008FAC38 0_2_008FAC38
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_008F79B8 0_2_008F79B8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_008FCD88 0_2_008FCD88
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_06D232E8 0_2_06D232E8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_06D2B8A0 0_2_06D2B8A0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_06D232D9 0_2_06D232D9
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_06D2D210 0_2_06D2D210
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07123538 0_2_07123538
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_0712DD70 0_2_0712DD70
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_0712DD6F 0_2_0712DD6F
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_071E2210 0_2_071E2210
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_071ECBA0 0_2_071ECBA0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_071ECBD0 0_2_071ECBD0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_079227C0 0_2_079227C0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07923FF8 0_2_07923FF8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07924B2B 0_2_07924B2B
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_0792A250 0_2_0792A250
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_079227BF 0_2_079227BF
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_079237D8 0_2_079237D8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07923FE8 0_2_07923FE8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_0792F2B0 0_2_0792F2B0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07927E28 0_2_07927E28
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07928590 0_2_07928590
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_0792E950 0_2_0792E950
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_0792003A 0_2_0792003A
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07926827 0_2_07926827
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07926828 0_2_07926828
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_07920040 0_2_07920040
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_071E21E5 0_2_071E21E5
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_0146E010 4_2_0146E010
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_0146E7B5 4_2_0146E7B5
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_01464A68 4_2_01464A68
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_01463E50 4_2_01463E50
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_01464198 4_2_01464198
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_0146ADA0 4_2_0146ADA0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BC67B0 4_2_06BC67B0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BC6BB0 4_2_06BC6BB0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BC5AE8 4_2_06BC5AE8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BC5ADA 4_2_06BC5ADA
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BC1910 4_2_06BC1910
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE6638 4_2_06BE6638
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE34B0 4_2_06BE34B0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BEB4DC 4_2_06BEB4DC
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE55E8 4_2_06BE55E8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE7DC8 4_2_06BE7DC8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE76E8 4_2_06BE76E8
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE2728 4_2_06BE2728
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE5D27 4_2_06BE5D27
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BEE3F0 4_2_06BEE3F0
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_06BE0040 4_2_06BE0040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_02F686F9 8_2_02F686F9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_02F64B70 8_2_02F64B70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_02F6AC38 8_2_02F6AC38
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_02F679B8 8_2_02F679B8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_02F6CD88 8_2_02F6CD88
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0622E1A8 8_2_0622E1A8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0622E198 8_2_0622E198
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0622B81C 8_2_0622B81C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_077D3538 8_2_077D3538
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_077DDD70 8_2_077DDD70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_077DDD6F 8_2_077DDD6F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07892210 8_2_07892210
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0789CBA0 8_2_0789CBA0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB32E8 8_2_07CB32E8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CBCE84 8_2_07CBCE84
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB32E3 8_2_07CB32E3
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CBD210 8_2_07CBD210
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0810A549 8_2_0810A549
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_081049E2 8_2_081049E2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0810A250 8_2_0810A250
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08108A50 8_2_08108A50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_081027C0 8_2_081027C0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08103FF8 8_2_08103FF8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08100016 8_2_08100016
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08100040 8_2_08100040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08108448 8_2_08108448
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08107CD0 8_2_08107CD0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08107CE0 8_2_08107CE0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0810A240 8_2_0810A240
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08107EBF 8_2_08107EBF
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_081066D0 8_2_081066D0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_081066E0 8_2_081066E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_081027B0 8_2_081027B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_081037D8 8_2_081037D8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0810ABE0 8_2_0810ABE0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08103FE8 8_2_08103FE8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811B838 8_2_0811B838
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08110040 8_2_08110040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08118941 8_2_08118941
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_08114D98 8_2_08114D98
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811EDA0 8_2_0811EDA0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_081199D7 8_2_081199D7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811A5F8 8_2_0811A5F8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811AE71 8_2_0811AE71
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811C6E8 8_2_0811C6E8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811EC08 8_2_0811EC08
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811E0B0 8_2_0811E0B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811E0A0 8_2_0811E0A0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811A570 8_2_0811A570
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811E990 8_2_0811E990
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811E983 8_2_0811E983
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811D5D0 8_2_0811D5D0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811D5C1 8_2_0811D5C1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811B670 8_2_0811B670
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811C6AF 8_2_0811C6AF
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811E758 8_2_0811E758
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811E748 8_2_0811E748
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811E3A0 8_2_0811E3A0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811D3F9 8_2_0811D3F9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0811EBF8 8_2_0811EBF8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_078921E5 8_2_078921E5
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_010886F9 9_2_010886F9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_01084B70 9_2_01084B70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_0108AC38 9_2_0108AC38
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_010879B8 9_2_010879B8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_0108CD88 9_2_0108CD88
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07543538 9_2_07543538
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_0754DD5F 9_2_0754DD5F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_0754DD70 9_2_0754DD70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07602210 9_2_07602210
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_0760CBA0 9_2_0760CBA0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_076632E8 9_2_076632E8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_0766EA48 9_2_0766EA48
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_0766D210 9_2_0766D210
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_076632D9 9_2_076632D9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA27C0 9_2_07AA27C0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA8BC1 9_2_07AA8BC1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA4290 9_2_07AA4290
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AAA250 9_2_07AAA250
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA49E3 9_2_07AA49E3
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA27B0 9_2_07AA27B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA37D8 9_2_07AA37D8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA4280 9_2_07AA4280
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA7E28 9_2_07AA7E28
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA7E19 9_2_07AA7E19
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA8590 9_2_07AA8590
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA6828 9_2_07AA6828
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA0025 9_2_07AA0025
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA8007 9_2_07AA8007
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA681B 9_2_07AA681B
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AA0040 9_2_07AA0040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABC6E8 9_2_07ABC6E8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABAE71 9_2_07ABAE71
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABEDA0 9_2_07ABEDA0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AB4D98 9_2_07AB4D98
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABA5F8 9_2_07ABA5F8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AB99D7 9_2_07AB99D7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AB8941 9_2_07AB8941
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABB838 9_2_07ABB838
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07AB0040 9_2_07AB0040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABE3A0 9_2_07ABE3A0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABD3F9 9_2_07ABD3F9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABEBF8 9_2_07ABEBF8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABE748 9_2_07ABE748
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABE758 9_2_07ABE758
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABC6B1 9_2_07ABC6B1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABE982 9_2_07ABE982
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABE990 9_2_07ABE990
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABD5C1 9_2_07ABD5C1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABD5D0 9_2_07ABD5D0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABA56F 9_2_07ABA56F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABE0A0 9_2_07ABE0A0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABE0B0 9_2_07ABE0B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_07ABEC08 9_2_07ABEC08
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 9_2_076021E5 9_2_076021E5
Sample file is different than original file name gathered from version info
Source: QUOTATIONS#08670.exe, 00000000.00000002.2019882237.0000000004E50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTokenTableApp.dll> vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTokenTableApp.dll> vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000000.00000002.2020384479.0000000004F60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8SH.dll6 vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000000.00000002.2008575393.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000000.00000002.2006152312.000000000065E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000004.00000002.2571149051.00000000010F9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTATIONS#08670.exe
Source: QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000440000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
Uses 32bit PE files
Source: QUOTATIONS#08670.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/3@2/2
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATIONS#08670.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Mutant created: NULL
Source: QUOTATIONS#08670.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QUOTATIONS#08670.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: QUOTATIONS#08670.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File read: C:\Users\user\Desktop\QUOTATIONS#08670.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe"
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe" Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: QUOTATIONS#08670.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QUOTATIONS#08670.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: QUOTATIONS#08670.exe Static file information: File size 1330176 > 1048576
Source: QUOTATIONS#08670.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x133a00
Source: QUOTATIONS#08670.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3abdaa0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.4e50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.4e50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3abdaa0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2575069317.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2575551377.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2019882237.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2008575393.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_008FC9A4 push ebp; ret 0_2_008FC9A5
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_008FC9F0 push ebp; ret 0_2_008FC9F1
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_0712BB1B push ecx; retf EFCDh 0_2_0712BC92
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_071EC1B7 push eax; iretd 0_2_071EC1C6
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_071EA014 pushad ; retf 0_2_071EA06D
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 0_2_071E7E59 push ecx; retf 0046h 0_2_071E7E7A
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Code function: 4_2_01460C55 push edi; retf 4_2_01460C7A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_02F6C9F0 push ebp; ret 8_2_02F6C9F1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_02F6C9A4 push ebp; ret 8_2_02F6C9A5
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_06223370 push eax; iretd 8_2_06223371
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_06222F71 push esp; retf 8_2_06222F72
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_077D2379 push cs; ret 8_2_077D238F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_077DBB27 push ecx; retf EFCDh 8_2_077DBC92
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0789C1B7 push eax; iretd 8_2_0789C1C6
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_0789A014 pushad ; retf 8_2_0789A06D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07897E59 push ecx; retf 0046h 8_2_07897E7A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB05A1 push es; retf 0007h 8_2_07CB05A2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB0541 push es; retf 0007h 8_2_07CB0542
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB94D1 push esp; retf 0007h 8_2_07CB94D2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB94F1 push esp; retf 0007h 8_2_07CB94F2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB9389 push esp; retf 0007h 8_2_07CB938A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB22D1 push cs; retf 0007h 8_2_07CB22D2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB22AE push cs; retf 0007h 8_2_07CB22B2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB8F17 push ebx; retf 0007h 8_2_07CB8F1A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB8EE9 push ebx; retf 0007h 8_2_07CB8EEA
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB8EA9 push ebx; retf 0007h 8_2_07CB8EAA
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB8E30 push ebx; retf 0007h 8_2_07CB8E32
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CBFDB2 push FFFFFF8Bh; iretd 8_2_07CBFDB7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB8C69 push edx; retf 0007h 8_2_07CB8C6A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB8B77 push ecx; retf 0007h 8_2_07CB8B7A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 8_2_07CB8AC9 push ecx; retf 0007h 8_2_07CB8ACA
Drops PE files
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\Desktop\QUOTATIONS#08670.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 8F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 2690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 4690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 7BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 8BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 8D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 9D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: A120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: B120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: C120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 1460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 3060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: 5060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 16D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 30E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 2EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 8120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 9120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 92E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: A2E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: A650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: B650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: C650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 1080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 2A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 28A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 7AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 8AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 8C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 9C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: 9FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: AFF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory allocated: BFF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599763 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598519 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598318 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597263 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596700 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595811 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595662 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595428 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594187 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Window / User API: threadDelayed 2166 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Window / User API: threadDelayed 7687 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Window / User API: threadDelayed 2951 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Window / User API: threadDelayed 6895 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Window / User API: threadDelayed 4160 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Window / User API: threadDelayed 5683 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Window / User API: threadDelayed 4145 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Window / User API: threadDelayed 5711 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 7796 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 7796 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5300 Thread sleep count: 2951 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5300 Thread sleep count: 6895 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599763s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -598891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -598766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -598641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -598519s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -598318s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -598188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -598063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597263s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596700s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -595811s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -595662s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -595428s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160 Thread sleep time: -594187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1724 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1724 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7636 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7636 Thread sleep time: -36893488147419080s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7636 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640 Thread sleep count: 4145 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640 Thread sleep count: 5711 > 30 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599763 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598519 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598318 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597263 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596700 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595811 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595662 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595428 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Thread delayed: delay time: 594187 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 30000 Jump to behavior
Source: QUOTATIONS#08670.exe, newapp.exe.4.dr Binary or memory string: d6nu^YDY7bKtlFzp?nrett^pnreKtaPet^Dtrohl_teSQretnI?nottu}nosiMapmoCXnirtS?noitpZcxEytVruceSZkaMnPitpecGEtratldaerhknoitOecxEnPitareOOdilaInInoVtpecxzlluNtQemugr~noitOecxEeXnaRfOKuOxedQInoiKpecxE[ohteM[ilavnvnoitOecxEdZtroppJStoNQoitpe\xEdesPpsiDt\ejbOQoitpe\xEdepOarWemVtnuRQoitpe\xEbdP?noitiKepeReXasseMZkaFnPitisootratSRroFnPitisootratS`tesnPitidnPC_noVtcellPCwoRwZiVdirxataDQoitceSloCnmJloCweVVdirG^taDnPitcelSoClorKnoCnPitcelSoClle|weiVdVrGata{noit\elfeR
Source: QUOTATIONS#08670.exe, 00000000.00000002.2019882237.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTray
Source: QUOTATIONS#08670.exe, newapp.exe.4.dr Binary or memory string: noVtpecxzlluNtQemugr~
Source: QUOTATIONS#08670.exe, 00000004.00000002.2571627082.00000000012B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Memory written: C:\Users\user\Desktop\QUOTATIONS#08670.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Memory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Process created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe" Jump to behavior
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $_q8<b>[ Program Manager]</b> (03/10/2024 19:44:51)<br>{Win}THdq|
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $_q3<b>[ Program Manager]</b> (03/10/2024 19:44:51)<br>
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR_q
Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $_q9<b>[ Program Manager]</b> (03/10/2024 19:44:51)<br>{Win}rTHdq|
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Users\user\Desktop\QUOTATIONS#08670.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Users\user\Desktop\QUOTATIONS#08670.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 8124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 8124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: QUOTATIONS#08670.exe PID: 8124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524956 Sample: QUOTATIONS#08670.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 30 ftp.ercolina-usa.com 2->30 32 ercolina-usa.com 2->32 34 api.ipify.org 2->34 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 7 other signatures 2->54 7 QUOTATIONS#08670.exe 3 2->7         started        11 newapp.exe 2 2->11         started        13 newapp.exe 2 2->13         started        signatures3 process4 file5 28 C:\Users\user\...\QUOTATIONS#08670.exe.log, ASCII 7->28 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->58 60 Injects a PE file into a foreign processes 7->60 15 QUOTATIONS#08670.exe 16 5 7->15         started        62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 20 newapp.exe 11->20         started        22 newapp.exe 13->22         started        signatures6 process7 dnsIp8 36 ercolina-usa.com 192.254.225.136, 21, 31841, 45522 UNIFIEDLAYER-AS-1US United States 15->36 38 api.ipify.org 104.26.12.205, 443, 62916 CLOUDFLARENETUS United States 15->38 24 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->24 dropped 26 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->26 dropped 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->40 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 Tries to harvest and steal ftp login credentials 15->44 46 3 other signatures 15->46 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.254.225.136
 ercolina-usa.com United States
46606 UNIFIEDLAYER-AS-1US true
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ercolina-usa.com 192.254.225.136 true
api.ipify.org 104.26.12.205 true
ftp.ercolina-usa.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown