Edit tour

Windows Analysis Report
Quote 40240333-REV2.exe

Overview

General Information

Sample name:	Quote 40240333-REV2.exe
Analysis ID:	1558213
MD5:	560a144b63de4457304d88add688500b
SHA1:	e1fdd08d768f5a0170e9ff354b9f75a5c533506f
SHA256:	76ee39157442dc28e64f089260ca42ec5374ae2fccb99d0940b9717e48e6dc86
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Quote 40240333-REV2.exe (PID: 7920 cmdline: "C:\Users\user\Desktop\Quote 40240333-REV2.exe" MD5: 560A144B63DE4457304D88ADD688500B)

powershell.exe (PID: 8100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Quote 40240333-REV2.exe (PID: 8108 cmdline: "C:\Users\user\Desktop\Quote 40240333-REV2.exe" MD5: 560A144B63DE4457304D88ADD688500B)

Quote 40240333-REV2.exe (PID: 8132 cmdline: "C:\Users\user\Desktop\Quote 40240333-REV2.exe" MD5: 560A144B63DE4457304D88ADD688500B)

Quote 40240333-REV2.exe (PID: 8144 cmdline: "C:\Users\user\Desktop\Quote 40240333-REV2.exe" MD5: 560A144B63DE4457304D88ADD688500B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2940553325.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1730144520.00000000038F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000002.2943118351.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2943118351.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quote 40240333-REV2.exe PID: 7920	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quote 40240333-REV2.exe PID: 8144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quote 40240333-REV2.exe PID: 8144	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Quote 40240333-REV2.exe.3ac0fe0.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote 40240333-REV2.exe.3aea000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.Quote 40240333-REV2.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote 40240333-REV2.exe.3aea000.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote 40240333-REV2.exe", ParentImage: C:\Users\user\Desktop\Quote 40240333-REV2.exe, ParentProcessId: 7920, ParentProcessName: Quote 40240333-REV2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe", ProcessId: 8100, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quote 40240333-REV2.exe, Initiated: true, ProcessId: 8144, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49742

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote 40240333-REV2.exe", ParentImage: C:\Users\user\Desktop\Quote 40240333-REV2.exe, ParentProcessId: 7920, ParentProcessName: Quote 40240333-REV2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe", ProcessId: 8100, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: Quote 40240333-REV2.exe	ReversingLabs: Detection: 34%
Source: Quote 40240333-REV2.exe	Virustotal: Detection: 30%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Quote 40240333-REV2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: /log.tmp
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>[
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ]<br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Time:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IP Address:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: New
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IP Address:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: *o9H+18Q4%;M
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: false
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: appdata
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: KTvkzEc.exe
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Type
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <b>[
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ]</b> (
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: )<br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {BACK}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {TAB}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {ESC}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {Win}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {DEL}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {END}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {HOME}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {Insert}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {NumLock}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {PageDown}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {PageUp}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {ENTER}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F1}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F2}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F3}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F4}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F5}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F6}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F7}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F8}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F9}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F10}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F11}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {F12}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: control
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {CTRL}
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: &
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: >
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: "
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: logins
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IE/Edge
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Web Credentials
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SchemaId
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pResourceElement
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pPackageSid
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IE/Edge
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UC Browser
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Login Data
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: journal
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: wow_logins
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <array>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <dict>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <string>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </string>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <string>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </string>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <data>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </data>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: credential
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: QQ Browser
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Profile
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: entries
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: category
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: str3
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: str2
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: blob0
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: password_value
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IncrediMail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PopPassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PopPassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SmtpServer
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: EmailAddress
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Eudora
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: current
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Settings
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Settings
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: profiles.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: profiles.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: autofill
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ClawsMail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \clawsrc
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \clawsrc
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passkey0
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \accountrc
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: smtp_server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: address
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: account
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Flock Browser
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: signons3.txt
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: DynDns
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: username=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: password=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: global
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: accounts
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: account.
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: username
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: account.
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: name
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: OpenVPN
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: username
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: auth-data
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: entropy
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: remote
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: remote
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: user.config
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \account.json
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: FileZilla
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Server>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Host>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Host>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </Host>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Port>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </Port>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <User>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <User>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </User>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </Pass>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Pass>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </Pass>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: CoreFTP
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: User
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Host
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Port
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: WinSCP
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: HostName
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UserName
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PortNumber
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: WinSCP
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ABCDEF
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Flash FXP
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: port
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: user
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pass
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: quick.dat
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Sites.dat
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: No Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: User
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SmartFTP
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: WS_FTP
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: appdata
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: HOST
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PWD=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PWD=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: FtpCommander
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;Password=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;User=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;Server=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;Port=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;Port=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;Password=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;User=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: FTPGetter
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server_ip>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server_ip>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </server_ip>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server_port>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </server_port>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: FTPGetter
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: The Bat!
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: appdata
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \The Bat!
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Becky!
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: DataDir
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Folder.lst
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Account
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PassWd
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Account
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SMTPServer
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Account
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: MailAddress
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Becky!
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Outlook
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Email
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IMAP Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: POP3 Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: HTTP Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SMTP Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Email
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Email
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Email
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IMAP Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: POP3 Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: HTTP Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SMTP Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Email
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SchemaId
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pResourceElement
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pPackageSid
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: syncpassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: FoxMail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Executable
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Storage\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Storage\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Account.stg
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Account.stg
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: POP3Host
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SMTPHost
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: IncomingServer
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Account
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: MailAddress
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: POP3Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Opera Mail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: opera:
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PocoMail
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: appdata
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Email
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: POPPass
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SMTPPass
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SMTP
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: eM Client
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: eM Client
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: "Username":"
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: "Secret":"
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Mailbird
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Server_Host
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Email
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Username
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Mailbird
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: TightVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: TightVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ControlPassword
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: TigerVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Password
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: JDownloader 2.0
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Paltalk
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack	String decryptor: nickname

Source: Quote 40240333-REV2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quote 40240333-REV2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 199.79.62.115:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: Quote 40240333-REV2.exe, 00000006.00000002.2943118351.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mbarieservicesltd.com
Source: Quote 40240333-REV2.exe, 00000000.00000002.1728971288.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quote 40240333-REV2.exe, 00000000.00000002.1732919995.0000000005250000.00000004.00000020.00020000.00000000.sdmp, Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_00F3D5B4	0_2_00F3D5B4
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072BCC78	0_2_072BCC78
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072BEBF2	0_2_072BEBF2
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072B8628	0_2_072B8628
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072BA530	0_2_072BA530
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072BA540	0_2_072BA540
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072B0400	0_2_072B0400
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072B03F0	0_2_072B03F0
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072B8E98	0_2_072B8E98
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072BAEE1	0_2_072BAEE1
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072BAEF0	0_2_072BAEF0
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 0_2_072B8A60	0_2_072B8A60
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 6_2_02B54140	6_2_02B54140
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 6_2_02B54D58	6_2_02B54D58
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 6_2_02B5FB48	6_2_02B5FB48
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 6_2_02B54488	6_2_02B54488
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 6_2_065F3728	6_2_065F3728
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Code function: 6_2_065F19F8	6_2_065F19F8

Source: Quote 40240333-REV2.exe, 00000000.00000002.1728971288.0000000002901000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1728971288.0000000002901000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1728971288.0000000002901000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $dq,\\StringFileInfo\\000004B0\\OriginalFilename vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1728971288.0000000002901000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1723013353.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1734248939.0000000007330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1730144520.00000000038F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1730144520.00000000038F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1735839780.000000000A0F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1733265517.00000000053A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000000.00000002.1728971288.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000006.00000002.2940553325.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe, 00000006.00000002.2940886353.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote 40240333-REV2.exe
Source: Quote 40240333-REV2.exe	Binary or memory string: OriginalFilenameUruf.exeP vs Quote 40240333-REV2.exe

Source: Quote 40240333-REV2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quote 40240333-REV2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, okV60aK4gpuFxTOK3M.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, MtjSgdCjepWUaljo2A.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, MtjSgdCjepWUaljo2A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, MtjSgdCjepWUaljo2A.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, okV60aK4gpuFxTOK3M.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, MtjSgdCjepWUaljo2A.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, MtjSgdCjepWUaljo2A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, MtjSgdCjepWUaljo2A.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/6@3/1

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote 40240333-REV2.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_viszymfn.qth.ps1

Jump to behavior

Source: Quote 40240333-REV2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quote 40240333-REV2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quote 40240333-REV2.exe	ReversingLabs: Detection: 34%
Source: Quote 40240333-REV2.exe	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Quote 40240333-REV2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quote 40240333-REV2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, MtjSgdCjepWUaljo2A.cs	.Net Code: tZxvgmkQc6 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, MtjSgdCjepWUaljo2A.cs	.Net Code: tZxvgmkQc6 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Code function: 0_2_072BCB47 push esp; ret

0_2_072BCB48

Source: Quote 40240333-REV2.exe

Static PE information: section name: .text entropy: 7.9695231978994645

Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, Il70KH1AlpVN64jn1u.cs	High entropy of concatenated method names: 'sf6V1D8da6', 'eCEVMcXLr0', 'ToString', 'T1GV2E9Gv9', 'PAmVNXbNue', 'OYrV4TTqlr', 'rxbV7yOk39', 'm3nVYyDmRe', 'MfBVmGyOqG', 'pguV8DrbS2'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, PSrR5vzfyM4vxyCmp2.cs	High entropy of concatenated method names: 'm1wxdf0MV9', 'JAexo2X2a1', 'n1jxUuQn8D', 'qbLxaC2DiP', 'hLIxyQFBAi', 'GjyxApH42S', 'KZxxIAfHNO', 'o7axbGRsVP', 'VfaxnKEoWA', 'YOmxGOb0nv'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, Xun3SM7OM2ESEFSXK4.cs	High entropy of concatenated method names: 'lmUY9G6S8R', 'iyoYNHHJV1', 'm5hY7QrMKi', 'qDRYmtQ7dD', 'yOpY8dnRZC', 'eom7OX33b1', 'PDv7eOjBi0', 'kfx7Ejh3EK', 'foA7HKuWnc', 'vRw73TaZhP'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, sP0OykUMUJvA8plM5d.cs	High entropy of concatenated method names: 'lds6akSHbZ', 'djx6yZTNpA', 'nqE6lyCVXb', 'LOv6AORrOl', 'Y7d6IHknGa', 'VCu6fwp5lV', 'FZJ6tsseVs', 'dJH6jCrPIf', 'GIT60AaUap', 'Uwa6PkhwJb'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, MtjSgdCjepWUaljo2A.cs	High entropy of concatenated method names: 'hd0w9pj7R5', 'yWNw2bXni3', 'roCwN1yI0E', 'NpKw439ESn', 'JvZw7jgV2X', 'dCnwYAQbcw', 'O7BwmcpKPF', 'rwsw8QSjNF', 'voMwpLpKWP', 'HWAw1SLoyS'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, KoQBxmrTX3CuwDM5nPM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ECqF6av7FC', 'GrgFxPjtlT', 'KNaFRUoQa6', 'cNRFFSejVN', 'jvAFq4snaG', 'coOFZb0Dmn', 'FDVFbvHoxZ'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, mrkLfkde6G0Jl1OAZW.cs	High entropy of concatenated method names: 'HGymnjt2g9', 'NrpmGv2iuc', 'LuGmgWAppg', 'J5xmDwgWn8', 'b0jmhlIBgg', 'VSnmd88KIm', 'c6Qmugry7J', 'myVmoqfDLh', 'rpVmUyToCm', 'PlTmXCJ1q8'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, tZ7v35E7yX1oMKH99v.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dK053iSxDX', 'XTn5rX7at6', 'PEp5zXfYcX', 'CQ0wLN5mr6', 'AwYwK61Pjy', 'qNjw50WL0T', 'JIQwwPo1PK', 'zCsgt97divMYBpr2iih'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, gCifpVeZ5lwJHLHpPB.cs	High entropy of concatenated method names: 'D4AgaAKbO', 'aIXDdFYPF', 'aM4d6O7BE', 'oEOuoyFEG', 'VmAU5utUN', 'metXh28ES', 'vCaEtKa2pnHk9fYorT', 'JVTxwsOc15sJW1hCxa', 'CluWA1Eyk', 'aDBx0hDfr'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, okV60aK4gpuFxTOK3M.cs	High entropy of concatenated method names: 'cMCNsin5un', 'MGDNByNTtW', 'fZDNQTxuah', 'goiNSoC8UD', 'fxPNOR6iNA', 'xo4NeUjoM3', 'Gx5NEs3yjL', 'apuNH1sBVe', 'TTDN3FrAOW', 'FtgNrq16Mo'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, tyxWFS9Fwivryyxbe2.cs	High entropy of concatenated method names: 'ISOVHC5ybH', 'j4hVrnOKC5', 'HdSWLbln4v', 'NvdWKhEmjL', 'z7XVieLjDm', 'PWwVCuRQRH', 'LAtVTgyIu4', 'DqxVso8DY3', 'vfDVBVqPDS', 'AtpVQHDs1o'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, wKXWTZ5Pvclwisldhs.cs	High entropy of concatenated method names: 'WlukP5sunt', 'wGgkCQkxEH', 'wGoksXc7sJ', 'BSMkBQtalD', 'EfHkyo5VCR', 'XXMklZ9L9n', 'Ti6kAxsr2s', 'n4ykIZ4ey3', 'SyckfM99vL', 'xaIktpikoP'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, DcVXb8ryLOdycXcuV9T.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bMpxi60bwW', 'iSvxCnt9HB', 'zWPxTIsAGY', 'jU9xsCaSg8', 'lAVxB5iq10', 'J3gxQl57om', 'vtaxSqUM43'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, obEIAhrerfnU3285cGB.cs	High entropy of concatenated method names: 'ToString', 'L2NRoQ5RGT', 'dcqRU6x6jN', 'sCERXFI6mv', 'BlxRahc48L', 'jUWRyJ7W7L', 'ksTRlCGuIS', 'vH7RAObdRr', 'oudm2fMBfAD3pKC0wH9', 'u8t3qQMMGomggyuDhai'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, dXXKCgayT4vMbks2WF.cs	High entropy of concatenated method names: 'WJAJodVm72', 'tdqJUwXNCS', 'W5bJaSsB09', 'YAlJyybX7O', 'af5JAAFMkp', 'vIiJIOrXgM', 'WZlJtkNm2f', 'EedJjfnYTT', 'pM5JPIrfdy', 'fvIJiHcgaK'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, jmfCAGHI8FrKDlfv9b.cs	High entropy of concatenated method names: 'sDR4DAK9H7', 'RWI4dMskJh', 'zCu4oHmIxT', 'dtk4UOjrC5', 'NlG4kuHBjQ', 'o8t4cTR79T', 'fxL4VkZSA0', 'o9N4W9cPMU', 'HJE46bby3S', 'Nxb4xpRGrE'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, cfWA0kSlb2JTbGHnBE.cs	High entropy of concatenated method names: 'OB8x4CUFKH', 'SWhx7b5Y2a', 'yYtxYIdUgJ', 'zafxmivWMN', 'Kakx6xr6s3', 'oYGx8vr47D', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, banXtCtI63bcECrQ1o.cs	High entropy of concatenated method names: 'TUG7hQKYqG', 'E8D7uGIHVc', 'LJK4l0EJXP', 'fCP4AIglZd', 'Sib4IYDKSE', 'CGL4fDbfQq', 'K694tOuC29', 'LDc4jkM6TT', 'u4s40nK0DH', 'Agi4Pxtk5E'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, pb0JMxjMuntwoaTYmX.cs	High entropy of concatenated method names: 'f7R6k9qhXa', 'sDw6VhlxTL', 'Y8j66LQvax', 'm766RfiM3R', 'ap66qVr8i0', 'XYe6b2o8v0', 'Dispose', 'qPSW237TWx', 'xRpWN2U45Z', 'SipW4CXjEy'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, cHYuVbwyrlmJ7rW6Vo.cs	High entropy of concatenated method names: 'Dispose', 'r6iK30ko1X', 'htp5y4IchL', 'ktSFOP0scs', 'HJWKrmBZgm', 'l09KzNuRfN', 'ProcessDialogKey', 'D6P5LEA75i', 'VYw5K1C12F', 'DuD55Qq1aN'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, x7Z4YsTb1oA62vRQeQ.cs	High entropy of concatenated method names: 'H7RKmYbr6i', 'SF1K8t4HoI', 'ONEK1TEmd7', 'cLKKMJQSZO', 'pmkKklmNhE', 'jsSKcBHO4G', 'QmwliKeTTImox2QSIs', 'NBbdueopawnxNi3tVt', 'ihXKKe6sjI', 'mtGKwDI6XW'
Source: 0.2.Quote 40240333-REV2.exe.3b2e600.3.raw.unpack, iSSAocrrO13RrmMXa4F.cs	High entropy of concatenated method names: 'LxBxrVlQ62', 'eGYxzg1f8O', 'meuRLHd6ws', 'AwiRKJBWv1', 'f5JR5kTl5H', 'mLkRwtwnQ2', 'CCdRvcNlFg', 'xxJR9dVl2c', 'jpfR2arDcx', 'JY0RNdtiVB'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, Il70KH1AlpVN64jn1u.cs	High entropy of concatenated method names: 'sf6V1D8da6', 'eCEVMcXLr0', 'ToString', 'T1GV2E9Gv9', 'PAmVNXbNue', 'OYrV4TTqlr', 'rxbV7yOk39', 'm3nVYyDmRe', 'MfBVmGyOqG', 'pguV8DrbS2'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, PSrR5vzfyM4vxyCmp2.cs	High entropy of concatenated method names: 'm1wxdf0MV9', 'JAexo2X2a1', 'n1jxUuQn8D', 'qbLxaC2DiP', 'hLIxyQFBAi', 'GjyxApH42S', 'KZxxIAfHNO', 'o7axbGRsVP', 'VfaxnKEoWA', 'YOmxGOb0nv'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, Xun3SM7OM2ESEFSXK4.cs	High entropy of concatenated method names: 'lmUY9G6S8R', 'iyoYNHHJV1', 'm5hY7QrMKi', 'qDRYmtQ7dD', 'yOpY8dnRZC', 'eom7OX33b1', 'PDv7eOjBi0', 'kfx7Ejh3EK', 'foA7HKuWnc', 'vRw73TaZhP'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, sP0OykUMUJvA8plM5d.cs	High entropy of concatenated method names: 'lds6akSHbZ', 'djx6yZTNpA', 'nqE6lyCVXb', 'LOv6AORrOl', 'Y7d6IHknGa', 'VCu6fwp5lV', 'FZJ6tsseVs', 'dJH6jCrPIf', 'GIT60AaUap', 'Uwa6PkhwJb'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, MtjSgdCjepWUaljo2A.cs	High entropy of concatenated method names: 'hd0w9pj7R5', 'yWNw2bXni3', 'roCwN1yI0E', 'NpKw439ESn', 'JvZw7jgV2X', 'dCnwYAQbcw', 'O7BwmcpKPF', 'rwsw8QSjNF', 'voMwpLpKWP', 'HWAw1SLoyS'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, KoQBxmrTX3CuwDM5nPM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ECqF6av7FC', 'GrgFxPjtlT', 'KNaFRUoQa6', 'cNRFFSejVN', 'jvAFq4snaG', 'coOFZb0Dmn', 'FDVFbvHoxZ'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, mrkLfkde6G0Jl1OAZW.cs	High entropy of concatenated method names: 'HGymnjt2g9', 'NrpmGv2iuc', 'LuGmgWAppg', 'J5xmDwgWn8', 'b0jmhlIBgg', 'VSnmd88KIm', 'c6Qmugry7J', 'myVmoqfDLh', 'rpVmUyToCm', 'PlTmXCJ1q8'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, tZ7v35E7yX1oMKH99v.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dK053iSxDX', 'XTn5rX7at6', 'PEp5zXfYcX', 'CQ0wLN5mr6', 'AwYwK61Pjy', 'qNjw50WL0T', 'JIQwwPo1PK', 'zCsgt97divMYBpr2iih'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, gCifpVeZ5lwJHLHpPB.cs	High entropy of concatenated method names: 'D4AgaAKbO', 'aIXDdFYPF', 'aM4d6O7BE', 'oEOuoyFEG', 'VmAU5utUN', 'metXh28ES', 'vCaEtKa2pnHk9fYorT', 'JVTxwsOc15sJW1hCxa', 'CluWA1Eyk', 'aDBx0hDfr'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, okV60aK4gpuFxTOK3M.cs	High entropy of concatenated method names: 'cMCNsin5un', 'MGDNByNTtW', 'fZDNQTxuah', 'goiNSoC8UD', 'fxPNOR6iNA', 'xo4NeUjoM3', 'Gx5NEs3yjL', 'apuNH1sBVe', 'TTDN3FrAOW', 'FtgNrq16Mo'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, tyxWFS9Fwivryyxbe2.cs	High entropy of concatenated method names: 'ISOVHC5ybH', 'j4hVrnOKC5', 'HdSWLbln4v', 'NvdWKhEmjL', 'z7XVieLjDm', 'PWwVCuRQRH', 'LAtVTgyIu4', 'DqxVso8DY3', 'vfDVBVqPDS', 'AtpVQHDs1o'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, wKXWTZ5Pvclwisldhs.cs	High entropy of concatenated method names: 'WlukP5sunt', 'wGgkCQkxEH', 'wGoksXc7sJ', 'BSMkBQtalD', 'EfHkyo5VCR', 'XXMklZ9L9n', 'Ti6kAxsr2s', 'n4ykIZ4ey3', 'SyckfM99vL', 'xaIktpikoP'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, DcVXb8ryLOdycXcuV9T.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bMpxi60bwW', 'iSvxCnt9HB', 'zWPxTIsAGY', 'jU9xsCaSg8', 'lAVxB5iq10', 'J3gxQl57om', 'vtaxSqUM43'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, obEIAhrerfnU3285cGB.cs	High entropy of concatenated method names: 'ToString', 'L2NRoQ5RGT', 'dcqRU6x6jN', 'sCERXFI6mv', 'BlxRahc48L', 'jUWRyJ7W7L', 'ksTRlCGuIS', 'vH7RAObdRr', 'oudm2fMBfAD3pKC0wH9', 'u8t3qQMMGomggyuDhai'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, dXXKCgayT4vMbks2WF.cs	High entropy of concatenated method names: 'WJAJodVm72', 'tdqJUwXNCS', 'W5bJaSsB09', 'YAlJyybX7O', 'af5JAAFMkp', 'vIiJIOrXgM', 'WZlJtkNm2f', 'EedJjfnYTT', 'pM5JPIrfdy', 'fvIJiHcgaK'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, jmfCAGHI8FrKDlfv9b.cs	High entropy of concatenated method names: 'sDR4DAK9H7', 'RWI4dMskJh', 'zCu4oHmIxT', 'dtk4UOjrC5', 'NlG4kuHBjQ', 'o8t4cTR79T', 'fxL4VkZSA0', 'o9N4W9cPMU', 'HJE46bby3S', 'Nxb4xpRGrE'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, cfWA0kSlb2JTbGHnBE.cs	High entropy of concatenated method names: 'OB8x4CUFKH', 'SWhx7b5Y2a', 'yYtxYIdUgJ', 'zafxmivWMN', 'Kakx6xr6s3', 'oYGx8vr47D', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, banXtCtI63bcECrQ1o.cs	High entropy of concatenated method names: 'TUG7hQKYqG', 'E8D7uGIHVc', 'LJK4l0EJXP', 'fCP4AIglZd', 'Sib4IYDKSE', 'CGL4fDbfQq', 'K694tOuC29', 'LDc4jkM6TT', 'u4s40nK0DH', 'Agi4Pxtk5E'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, pb0JMxjMuntwoaTYmX.cs	High entropy of concatenated method names: 'f7R6k9qhXa', 'sDw6VhlxTL', 'Y8j66LQvax', 'm766RfiM3R', 'ap66qVr8i0', 'XYe6b2o8v0', 'Dispose', 'qPSW237TWx', 'xRpWN2U45Z', 'SipW4CXjEy'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, cHYuVbwyrlmJ7rW6Vo.cs	High entropy of concatenated method names: 'Dispose', 'r6iK30ko1X', 'htp5y4IchL', 'ktSFOP0scs', 'HJWKrmBZgm', 'l09KzNuRfN', 'ProcessDialogKey', 'D6P5LEA75i', 'VYw5K1C12F', 'DuD55Qq1aN'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, x7Z4YsTb1oA62vRQeQ.cs	High entropy of concatenated method names: 'H7RKmYbr6i', 'SF1K8t4HoI', 'ONEK1TEmd7', 'cLKKMJQSZO', 'pmkKklmNhE', 'jsSKcBHO4G', 'QmwliKeTTImox2QSIs', 'NBbdueopawnxNi3tVt', 'ihXKKe6sjI', 'mtGKwDI6XW'
Source: 0.2.Quote 40240333-REV2.exe.7330000.5.raw.unpack, iSSAocrrO13RrmMXa4F.cs	High entropy of concatenated method names: 'LxBxrVlQ62', 'eGYxzg1f8O', 'meuRLHd6ws', 'AwiRKJBWv1', 'f5JR5kTl5H', 'mLkRwtwnQ2', 'CCdRvcNlFg', 'xxJR9dVl2c', 'jpfR2arDcx', 'JY0RNdtiVB'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Quote 40240333-REV2.exe PID: 7920, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 7760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 8760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 8910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 9910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7402	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1173	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Window / User API: threadDelayed 2227	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Window / User API: threadDelayed 7541	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7500	Thread sleep count: 2227 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7500	Thread sleep count: 7541 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98759s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98555s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98434s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe TID: 7540	Thread sleep time: -94032s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99873	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98759	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98555	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98434	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94735	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94610	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94485	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94359	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94247	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94140	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Thread delayed: delay time: 94032	Jump to behavior

Source: Quote 40240333-REV2.exe, 00000000.00000002.1723461800.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Quote 40240333-REV2.exe, 00000000.00000002.1723461800.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Quote 40240333-REV2.exe, 00000006.00000002.2946051783.0000000006210000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Memory written: C:\Users\user\Desktop\Quote 40240333-REV2.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Process created: C:\Users\user\Desktop\Quote 40240333-REV2.exe "C:\Users\user\Desktop\Quote 40240333-REV2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Users\user\Desktop\Quote 40240333-REV2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Users\user\Desktop\Quote 40240333-REV2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2943118351.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote 40240333-REV2.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3aea000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quote 40240333-REV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3aea000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2940553325.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1730144520.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Quote 40240333-REV2.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2943118351.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote 40240333-REV2.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2943118351.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote 40240333-REV2.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3aea000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quote 40240333-REV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3aea000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote 40240333-REV2.exe.3ac0fe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2940553325.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1730144520.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quote 40240333-REV2.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Quote 40240333-REV2.exe	30%	Virustotal		Browse
Quote 40240333-REV2.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	199.79.62.115	true	false		high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8	Quote 40240333-REV2.exe, 00000000.00000002.1728971288.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Quote 40240333-REV2.exe, 00000000.00000002.1732919995.0000000005250000.00000004.00000020.00020000.00000000.sdmp, Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Quote 40240333-REV2.exe, 00000000.00000002.1733427590.0000000006A62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mail.mbarieservicesltd.com	Quote 40240333-REV2.exe, 00000006.00000002.2943118351.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558213
Start date and time:	2024-11-19 07:24:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quote 40240333-REV2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/6@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 38 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:24:59	API Interceptor	192x Sleep call for process: Quote 40240333-REV2.exe modified
01:25:01	API Interceptor	10x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse
	LPO24.0524.exe	Get hash	malicious	AgentTesla	Browse
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	24-17745.exe	Get hash	malicious	AgentTesla	Browse
	PO# 4507573387.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	PO-000041522.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MA2402201136.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO24.0524.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	24-17745.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO# 4507573387.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	PO-000041522.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
fp2e7a.wpc.phicdn.net	BOMB-762.msi	Get hash	malicious	AteraAgent	Browse	192.229.221.95
	file.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://website-70396.convertflowpages.com/firstmarkinsurance	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	http://tayakay.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	ADZP 20 Complex.exe	Get hash	malicious	Babadeda, Wiper	Browse	192.229.221.95
	Discord_updater_rCURRENT.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	KKXT7bY8bG.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	3236484822156923570.js	Get hash	malicious	Strela Downloader	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	DOCS.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	Ksciarillo_Reord_Adjustment.docx	Get hash	malicious	Unknown	Browse	208.91.198.81
	Ksciarillo_Reord_Adjustment.docx	Get hash	malicious	Unknown	Browse	208.91.198.81
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	208.91.198.81
	SOA.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	SFL OP990M3 PO.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.107
	nuevo orden.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	https://u34251876.ct.sendgrid.net/ls/click?upn=u001.ordJ57g0HVndDa8Km-2BVUUFN1eIn5tdzIxrKbgsGfF9eVdl7b-2Fab-2BrUBdfIXH9yijR5LLM7kgivkgUI3nC3VajM00UDrq4ekI2XREqo0QmHcHyDyYWomvx9-2FHEtQ3o5rBM9AHzVSsjnwFSEJqic-2BEtw-3D-3DBxNa_qINdfz5Lp8EahgxJXfgGV-2Bk7caEgTUs2gtUTKNMgBkZ9mbVIMd-2B1UUN0TqdRRGrocW81C18onNWNx5Y6KM88Rr7odKCqMhALUPuUbXGlkOo01sEKeKdphXRhykHXKfSB-2By1s-2BNAgCL9-2BbtY8LNaKNV0sXQnlv-2F9fA-2BLZtaeadaVGHb32bFHhcOwS3ltfr2dig92MY6M8DrwwYiolgI1k4Q-3D-3D	Get hash	malicious	Unknown	Browse	216.10.246.48

Process:	C:\Users\user\Desktop\Quote 40240333-REV2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbmOIKod6lss4RP8mZ9tEoUEJ0gt/NKIl9iaku:QWSU4xympgv4RUmZ9tEoUl8NDr
MD5:	E65E0A41A1AF021B7C85A2311F0910F4
SHA1:	F4DD7243918581677DE1F23B38F2D50F04A5CBF5
SHA-256:	7645C16FB1EAD11772AC744027B6C2BCC78816F713F5B8F27C54ACC2C42E181B
SHA-512:	A1EC04AAE1EC6CD668F9CD8872F7DDECB6BD6003AB2772DED58048F2947963658C0450837835F983B73808838104BEC8D9F1F94D956E1D5BEEFE24D980779D28
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga1f4x0u.tdp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gswqkygp.w3f.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hx1gh5ii.2sv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_viszymfn.qth.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.963964840557605
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Quote 40240333-REV2.exe
File size:	720'384 bytes
MD5:	560a144b63de4457304d88add688500b
SHA1:	e1fdd08d768f5a0170e9ff354b9f75a5c533506f
SHA256:	76ee39157442dc28e64f089260ca42ec5374ae2fccb99d0940b9717e48e6dc86
SHA512:	4a03eb701d34a2b793599868218a3886267d115652d82f3c565dc4564315979961f9146a3c15611cb861f728fbad8fde4900430ebc023ec3f3d2b80cb8a2f69a
SSDEEP:	12288:XGgjKo7xzZtRkvkMce/X4wWI7H8fT2tJ8PYGDWl77uh5j:XGLo7ZZtRksyeB6txTo5
TLSH:	38E4238EB36C5FB2C53E1BF2102212D463BEF036463AEA8E2CC591EA5D31B185B51D57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;g..............0......"........... ........@.. .......................@............@................................

File Icon


Icon Hash:	e33425174edb3931

Static PE Info

General

Entrypoint:	0x4af9be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673BE1D7 [Tue Nov 19 00:54:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf96c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x1fe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xad9c4	0xada00	07d42d849e8572c9fb148d4e7517b701	False	0.9663820644348452	data	7.9695231978994645	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x1fe8	0x2000	9f77a17c862b272795fb026e16aabe35	False	0.8568115234375	data	7.48552690185582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	781448f5165a54589ed45ab1100b1273	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb0100	0x18df	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9715721689963877
RT_GROUP_ICON	0xb19f0	0x14	data	1.05
RT_VERSION	0xb1a14	0x3d4	data	0.39693877551020407
RT_MANIFEST	0xb1df8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 07:25:05.666455984 CET	49742	587	192.168.2.4	199.79.62.115
Nov 19, 2024 07:25:06.666943073 CET	49742	587	192.168.2.4	199.79.62.115
Nov 19, 2024 07:25:08.667089939 CET	49742	587	192.168.2.4	199.79.62.115
Nov 19, 2024 07:25:12.667141914 CET	49742	587	192.168.2.4	199.79.62.115
Nov 19, 2024 07:25:20.666959047 CET	49742	587	192.168.2.4	199.79.62.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 07:25:03.509613037 CET	51989	53	192.168.2.4	1.1.1.1
Nov 19, 2024 07:25:04.525876045 CET	51989	53	192.168.2.4	1.1.1.1
Nov 19, 2024 07:25:05.526621103 CET	51989	53	192.168.2.4	1.1.1.1
Nov 19, 2024 07:25:05.658159018 CET	53	51989	1.1.1.1	192.168.2.4
Nov 19, 2024 07:25:05.658174038 CET	53	51989	1.1.1.1	192.168.2.4
Nov 19, 2024 07:25:05.658181906 CET	53	51989	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 07:25:03.509613037 CET	192.168.2.4	1.1.1.1	0x2351	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 07:25:04.525876045 CET	192.168.2.4	1.1.1.1	0x2351	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 07:25:05.526621103 CET	192.168.2.4	1.1.1.1	0x2351	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 07:25:05.658159018 CET	1.1.1.1	192.168.2.4	0x2351	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false
Nov 19, 2024 07:25:05.658174038 CET	1.1.1.1	192.168.2.4	0x2351	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false
Nov 19, 2024 07:25:05.658181906 CET	1.1.1.1	192.168.2.4	0x2351	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false
Nov 19, 2024 07:27:05.947524071 CET	1.1.1.1	192.168.2.4	0x41ab	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 07:27:05.947524071 CET	1.1.1.1	192.168.2.4	0x41ab	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:24:58
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\Quote 40240333-REV2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Imagebase:	0x470000
File size:	720'384 bytes
MD5 hash:	560A144B63DE4457304D88ADD688500B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1730144520.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:25:00
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:25:00
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\Quote 40240333-REV2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Imagebase:	0x90000
File size:	720'384 bytes
MD5 hash:	560A144B63DE4457304D88ADD688500B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:25:00
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:25:00
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\Quote 40240333-REV2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Imagebase:	0x230000
File size:	720'384 bytes
MD5 hash:	560A144B63DE4457304D88ADD688500B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:25:00
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\Quote 40240333-REV2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote 40240333-REV2.exe"
Imagebase:	0x840000
File size:	720'384 bytes
MD5 hash:	560A144B63DE4457304D88ADD688500B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.2940553325.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2943118351.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2943118351.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.1%
Total number of Nodes:	176
Total number of Limit Nodes:	10

Executed Functions

Function 072BEBF2 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d31d3ae475c62487e48884685fbc95254948db38b70e9a9fbbed0c5c99ef23
Instruction ID: a7a3ebf87a80f63710d6ad0047814531c6853ad9ef12d69a7660393e4e4ed1ae
Opcode Fuzzy Hash: 51d31d3ae475c62487e48884685fbc95254948db38b70e9a9fbbed0c5c99ef23
Instruction Fuzzy Hash: 8BE1FCB0B106069FDB25DB75C860BEEB7F6AF89380F154469E146CB392CB38E901CB51

Function 072BCC78 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e3a1337b0c35a00e80f22a9aefb1e5a7ec9769e7ae574e5e7d60159e350715
Instruction ID: b58806476f5b7bf3ab3ac423f0830ead9f0d3c8f5bfa97822692e120ed485c25
Opcode Fuzzy Hash: 03e3a1337b0c35a00e80f22a9aefb1e5a7ec9769e7ae574e5e7d60159e350715
Instruction Fuzzy Hash: 8A711AB1D24629CFEB24DF66C8447E9BBB6BF89300F10D1EAD409A6250DB705AC5CF50

Function 00F3CBC8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F3CC46
GetCurrentThread.KERNEL32 ref: 00F3CC83
GetCurrentProcess.KERNEL32 ref: 00F3CCC0
GetCurrentThreadId.KERNEL32 ref: 00F3CD19

Memory Dump Source

Source File: 00000000.00000002.1726693911.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_Quote 40240333-REV2.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 71020bdca8257b6fc4f3402ce3da511641c3f45bee77e473f479b3cb416bcd3e
Instruction ID: e8e48d376f64aac1300f395808dfb4167853948f6eac7b16710b8f128626ed5f
Opcode Fuzzy Hash: 71020bdca8257b6fc4f3402ce3da511641c3f45bee77e473f479b3cb416bcd3e
Instruction Fuzzy Hash: 335155B49003498FDB04DFAAD548B9EBBF1EF88314F208459E019B72A0D774A944CB65

Function 072BB669 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 072BB8A6

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bf36b2b2eefa08bf2f057f1502beb4bf8395a57cf47c3710427e3928b4e69a84
Instruction ID: dec029260d953d7e7b5fddded408aac36e760baf5584e2305ceb4097d951140a
Opcode Fuzzy Hash: bf36b2b2eefa08bf2f057f1502beb4bf8395a57cf47c3710427e3928b4e69a84
Instruction Fuzzy Hash: F7A18DB1D1065ADFDF20CF68C841BEDBBB2BF48350F1481A9D849A7280DB749985CF92

Function 072BB670 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 072BB8A6

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8ea50dc114c6915ca143286abc32623049de5f5a67e15c927b0c4f5d03921761
Instruction ID: 5f7fe8e5928d459f42071790693d0562a92442a50ab493500d109aa186ef8aac
Opcode Fuzzy Hash: 8ea50dc114c6915ca143286abc32623049de5f5a67e15c927b0c4f5d03921761
Instruction Fuzzy Hash: 57917DB1D1065ACFDF20CF68C841BEDBBB2BF48350F148169D849A7290DB749985CF91

Function 00F3590D Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F359C9

Memory Dump Source

Source File: 00000000.00000002.1726693911.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_Quote 40240333-REV2.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ead7d944b9a7378b18cd1bdd3ebb3b4cb5e7cd64c4715c6f559e2ca4d4cef7bb
Instruction ID: 3a7ee97a9c56acc31f35aa3ab9314297fe8a5d391d128752ae28231ad207e029
Opcode Fuzzy Hash: ead7d944b9a7378b18cd1bdd3ebb3b4cb5e7cd64c4715c6f559e2ca4d4cef7bb
Instruction Fuzzy Hash: BF41D0B0C00719CBDB24CFA9C884B8EFBF5BF89714F20816AD409AB251DB756945DF91

Function 00F344C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F359C9

Memory Dump Source

Source File: 00000000.00000002.1726693911.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_Quote 40240333-REV2.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 504902dd3502a4f0119f4a10aa28eb8c4ce0f9186a5c190259e7911430af1fa0
Instruction ID: 27259f1fea827660194983b8ba9b0ca6361a6551dfe2d4c0efb9e1467f1cd749
Opcode Fuzzy Hash: 504902dd3502a4f0119f4a10aa28eb8c4ce0f9186a5c190259e7911430af1fa0
Instruction Fuzzy Hash: 1941F3B0C0071DCBDB24CFA9C884B8EBBF5BF88714F20816AD409AB251DB756945DF90

Function 072BB3E0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 072BB478

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6302d689efb73058a401a520f9f948a48f56fbcc79476c0972ae58bf3b6db658
Instruction ID: 8fec8c36d27640f052ae3ce194c08f72eed3ccf05ec97447645d62062fdb53c1
Opcode Fuzzy Hash: 6302d689efb73058a401a520f9f948a48f56fbcc79476c0972ae58bf3b6db658
Instruction Fuzzy Hash: 062135B19003499FCB10CFAAC885BDEBFF5FF48310F14842AE958A7241D778A955CBA5

Function 072BB3E8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 072BB478

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2f5d376ea5552f26948a5311bb97cfef6a77f92315c5fb4faccc98b0b83ed0c9
Instruction ID: dded889ef15762f43bb1364bafc90bcdc1f696ea5d12b7f6b9e72bf9c227041e
Opcode Fuzzy Hash: 2f5d376ea5552f26948a5311bb97cfef6a77f92315c5fb4faccc98b0b83ed0c9
Instruction Fuzzy Hash: 4A2136B19003499FCF10DFAAC885BDEBBF5FF48310F10842AE919A7240C778A954DBA5

Function 072BB4D1 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 072BB558

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: dcbc8ab4a69ffbd32ddb402c165361666b871bc6f9ccfcb93b849901018715be
Instruction ID: 03518a873bd927039be6599d70aec700e8cfcd95ca1ef9ca2189ecb3c35dc32d
Opcode Fuzzy Hash: dcbc8ab4a69ffbd32ddb402c165361666b871bc6f9ccfcb93b849901018715be
Instruction Fuzzy Hash: 512136B18003499FCB10DFAAC885AEEFBF5FF48310F50842AE959A7240C774A941DBA5

Function 072BAE10 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072BAE96

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fbd39018fd06679f8dff8d6b92138776e5080982cd77164ab1643570b24bc62f
Instruction ID: 37b7c20d3a2f3c41b6eaa1a16a24cc7d6226b5ed7e7cd9b520ce44e6f4fe5a67
Opcode Fuzzy Hash: fbd39018fd06679f8dff8d6b92138776e5080982cd77164ab1643570b24bc62f
Instruction Fuzzy Hash: 882166B19003498FDB10DFAAC484BEEBBF4AF88324F14842AD459A7241C778A944CBA5

Function 072BB4D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 072BB558

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8cc1e0e1b5148ad9c8f994dffa520ad9bac3023fd3ee069e231de448cd998b0e
Instruction ID: dd9e7cbcb794e68e550a7b8d88521c3c7dfbf5fe1cf922e60f65c0fc0cff1e71
Opcode Fuzzy Hash: 8cc1e0e1b5148ad9c8f994dffa520ad9bac3023fd3ee069e231de448cd998b0e
Instruction Fuzzy Hash: CC2137B1C003499FCB10DFAAC885AEEFBF5FF48320F50842AE519A7240C7789945DBA5

Function 072BAE18 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072BAE96

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 22ab9cbccbf8a6bfcd4bf4b9ea64d3ca5c56e75bdb7fc7e4d73160f832fabba5
Instruction ID: 0134198f70ce377354e4dcdb3788dbb6b49bd991dfda46b42ad79b9ce4bc202b
Opcode Fuzzy Hash: 22ab9cbccbf8a6bfcd4bf4b9ea64d3ca5c56e75bdb7fc7e4d73160f832fabba5
Instruction Fuzzy Hash: C62137B1D003098FDB10DFAAC485BEEBBF5EB88320F54842AD519A7241CB789945CFA5

Function 00F3CE10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3CE97

Memory Dump Source

Source File: 00000000.00000002.1726693911.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_Quote 40240333-REV2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a3f818b0deac9f02695b5b1bededf6affb9f94772be99c015748580ff4a5e87a
Instruction ID: aa2fe2239e869ddf1e8d4e691918d87a2e7f6a8a60fd60626063c58d0130787d
Opcode Fuzzy Hash: a3f818b0deac9f02695b5b1bededf6affb9f94772be99c015748580ff4a5e87a
Instruction Fuzzy Hash: 5021C4B5D002489FDB10CF9AD984ADEFBF5EB48320F14841AE918A3351D374A954DFA5

Function 072BB320 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 072BB396

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2159821d5766308a2644edcccd6ee4ab1fc0397126a2eed760e1f235efb611d3
Instruction ID: c32ccf93ffde0b358e0e7bf9c72220f347f2217019319f54399f036ff899a33c
Opcode Fuzzy Hash: 2159821d5766308a2644edcccd6ee4ab1fc0397126a2eed760e1f235efb611d3
Instruction Fuzzy Hash: 39116AB18002499FCB10DFA9C844ADFFFF5EF48310F148819E559A7250C7759544CFA1

Function 072BB328 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 072BB396

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 033d53d7c05ecf0f0ee191e3a3df69637bc11a9bcb60f16317ead253b86a8e5b
Instruction ID: 907a9e9fdd4563e6a1a3bf86cafe371f99d54d5ae19c09215ba8f95ddfb9f048
Opcode Fuzzy Hash: 033d53d7c05ecf0f0ee191e3a3df69637bc11a9bcb60f16317ead253b86a8e5b
Instruction Fuzzy Hash: 5C1126B19002499FCB10DFAAC845ADEFFF5EB88320F248819E519A7250C775A944DFA5

Function 072BAD61 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 072BADCA

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e956e51140c835e725d9f6ca1407d098d5e579c32f0ce0e04fd684f9a0508794
Instruction ID: 2f5cf17734bccafbd2d6ad810febe8ad4949ed4f6e298444ec92efbd9c8ecf9d
Opcode Fuzzy Hash: e956e51140c835e725d9f6ca1407d098d5e579c32f0ce0e04fd684f9a0508794
Instruction Fuzzy Hash: 341176B180034A8FCB20DFAAC4457DEFFF5EF88320F24881AD459A7240CB74A944CB94

Function 072BAD68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 072BADCA

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 17410e4334de7ef308ad44b5a4fba6b2f363e5fdd46b7ca0b4dcc93c0ed94c15
Instruction ID: b11d57f84ac2b3b0ac7f723b1977beeb7f0f8e9971677eae1caae82135d03ead
Opcode Fuzzy Hash: 17410e4334de7ef308ad44b5a4fba6b2f363e5fdd46b7ca0b4dcc93c0ed94c15
Instruction Fuzzy Hash: 6E1136B1D003498FDB20DFAAC445BDEFBF5EB88324F64881AD519A7240CB75A944CFA5

Function 072BDF41 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072BDFA5

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fcd41e0c26b3e6b261556eb85673d4c3c5c6ba8e1e625f053aedb75c77f4865c
Instruction ID: 522fa683a697e4d5c9aa76358e9274131509f8298d13cbb963daabfacefe764b
Opcode Fuzzy Hash: fcd41e0c26b3e6b261556eb85673d4c3c5c6ba8e1e625f053aedb75c77f4865c
Instruction Fuzzy Hash: 651106B58043499FDB10DF99C989BDEFFF8EB48314F10845AE958A3240C375A544CFA5

Function 00F3BB00 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00F3BB66

Memory Dump Source

Source File: 00000000.00000002.1726693911.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_Quote 40240333-REV2.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cba46ab5c1dfb5f7e319bf74d391deaff53f7a4976377f22b9d28276be357ffc
Instruction ID: 74a9d2176205aaccead420285267695d1b6029893eab2be89c214873bef3e00a
Opcode Fuzzy Hash: cba46ab5c1dfb5f7e319bf74d391deaff53f7a4976377f22b9d28276be357ffc
Instruction Fuzzy Hash: 0E11DFB6C003498FDB10DF9AC844A9EFBF5AB88320F10845AD519A7250C775A945CFA5

Function 072B9ADC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072BDFA5

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2e62d0b896a9e5552c8d81fd5b5fdd5dcad766fac5253aab74b4d3b4b4f4ad13
Instruction ID: 23f3ce6fdf1beed2c1602daf9e9bdb36dc508e0398cee177bb029902a97689ad
Opcode Fuzzy Hash: 2e62d0b896a9e5552c8d81fd5b5fdd5dcad766fac5253aab74b4d3b4b4f4ad13
Instruction Fuzzy Hash: D51106B59143499FDB20DF99C449BDEFBF8EB48310F108459E518A7640C3B5A944CFA1

Function 0099D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720776716.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f6679534bbdded02d12a49cbb2b2dacc3dfe90cfdd38c7926d952e2920836c
Instruction ID: 69e69fabee37a3624433f0ea999b768dca0a014f993dcec03e72a8fb451d33b5
Opcode Fuzzy Hash: 20f6679534bbdded02d12a49cbb2b2dacc3dfe90cfdd38c7926d952e2920836c
Instruction Fuzzy Hash: B2213AB1505204DFDF05DF18D9C4B26BF69FB94324F24C56DD90A0B2A6C33AE856C7A2

Function 0099D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720776716.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d2b957ea8d21e09ffc5a0fcddd7fd9bbfe60a74b87a2ba687c01a84d3cafc4
Instruction ID: 3b3b8717242e0877044913e0411cbd562777738bc43be8a1a18c55955d66869d
Opcode Fuzzy Hash: b3d2b957ea8d21e09ffc5a0fcddd7fd9bbfe60a74b87a2ba687c01a84d3cafc4
Instruction Fuzzy Hash: D3213A71505240DFDF05DF18D9C0B26BF65FB98318F24C569E8090B25AC33AD856C7A2

Function 009AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722030057.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4e916f17b104cd43e1bbf3a855a4e4864c4966a5ae3677ad4584cdc9a738ee
Instruction ID: c371726e8ec85bdb5e89458fe65c8b0c8c85ae394d3d2c0004dc547de8c113dc
Opcode Fuzzy Hash: 7f4e916f17b104cd43e1bbf3a855a4e4864c4966a5ae3677ad4584cdc9a738ee
Instruction Fuzzy Hash: FD21F2B5605200DFDB14DF24D9C4B26BBA5FB99314F24C96DD80B4B796C33AD807CAA1

Function 009AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722030057.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70241f6ca9e352d94acaa746d58fe34bccccb5befa0e90f947c33f390c9224d
Instruction ID: e838aa18aef46d3d769af590d156e1ff9fd92f567053a5e6bd9160675fae58dc
Opcode Fuzzy Hash: b70241f6ca9e352d94acaa746d58fe34bccccb5befa0e90f947c33f390c9224d
Instruction Fuzzy Hash: E921F2B5605200EFDB05DF14D9C4B26BBA5FB95314F24CA6DEC1B4B692C33AD806CBA1

Function 009AD006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722030057.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d09bc15ca4a29964078dca4c00af1333d5cd0270c1b175cc6d71016bd754aa8
Instruction ID: 3886a0901d69e02e9ed251ff342a8f6331bdfd50b24a86f5b6e3c1793d2ff3a3
Opcode Fuzzy Hash: 5d09bc15ca4a29964078dca4c00af1333d5cd0270c1b175cc6d71016bd754aa8
Instruction Fuzzy Hash: 2A219375509380CFDB16CF24D994715BF71EB46314F28C5DAD84A8B697C33AD80ACBA2

Function 0099D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720776716.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 16b5cea9f25e0b59acc7b2de788acd5c40c8d97d26836c72780f5ecf37ba70b4
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 38112676504240CFDF02CF04D5C4B16BF72FB94324F24C2A9D8090B2A6C33AE85ACBA1

Function 0099D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720776716.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 7875ef1e4e081cab872dc8cff896de98c03cec9e2f1f2463679762eb5760e04d
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 6011E676504280CFDF16CF14D5C4B16BF72FB94324F24C6A9E8494B65AC336D85ACBA2

Function 009AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722030057.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 575121eaa9d6068bbe18ad0997acd2c09adbdb7189ccfb5520e46948a5ebea96
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 2F11BB75904280DFDB02CF10C5C4B15BBB2FB85324F24C6ADDC4A4B6A6C33AD80ACBA1

Non-executed Functions

Function 072B8628 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc3c7b2bcbe2f4a0e5ac152147cfe6582b284beb6c1df53f33f3d83b80c765d
Instruction ID: a4696cd07b01ad3576406f438d3de2a91468686bc480bd8d2b9db38c62bb318d
Opcode Fuzzy Hash: 3cc3c7b2bcbe2f4a0e5ac152147cfe6582b284beb6c1df53f33f3d83b80c765d
Instruction Fuzzy Hash: 4DE11EB4E102198FDB14DFA8C5809AEFBF6FF89344F248169E419AB355D730A941CFA0

Function 072BA540 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6826f29e78fa82d0d9101e5c0dd5d969a2e051a6f92cc42d17577ba643dd2fcb
Instruction ID: 685216cc5936689328f219c097bf9d513e7e0e21bc30a0ace89cd6f6be3014f2
Opcode Fuzzy Hash: 6826f29e78fa82d0d9101e5c0dd5d969a2e051a6f92cc42d17577ba643dd2fcb
Instruction Fuzzy Hash: C4E10AB4E102198FDB24DFA9C5909AEFBB2FF89344F24C169E415AB355DB30A941CF60

Function 072B8E98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e619343168da668fd161663884ea5d437c45d8be431eecb7ea37817dc07e2ba8
Instruction ID: b4829f4b7d9dd19cd1399391f63e3ed1addef64a7b1ed528aac632a72ac41dbe
Opcode Fuzzy Hash: e619343168da668fd161663884ea5d437c45d8be431eecb7ea37817dc07e2ba8
Instruction Fuzzy Hash: 39E11BB4E10219CFDB24DFA9C5809AEFBB2FF89344F248169E554AB355D730A981CF60

Function 072BAEF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4beddcae5cc552880b08970306096caf1c89eba36289c72fba03f1d0d8f9a319
Instruction ID: ecd54f0d18e13d0f8c1525bd1d4971e86dfa6b22a84910b074dcdfaa8c3588fd
Opcode Fuzzy Hash: 4beddcae5cc552880b08970306096caf1c89eba36289c72fba03f1d0d8f9a319
Instruction Fuzzy Hash: 18E12AB4E102198FDB24DFA9C5809AEFBB2FF89344F248169E415AB355D731AD81CF60

Function 072B8A60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2aed9f02e7b4de83547051d47d5ee4c1d76697209661323ec23d1d07ce9141
Instruction ID: e006bdfdee839285b1373359c0f3afdfca138d0a00fd4b1de33cb411a205a6a0
Opcode Fuzzy Hash: fa2aed9f02e7b4de83547051d47d5ee4c1d76697209661323ec23d1d07ce9141
Instruction Fuzzy Hash: 37E1FFB4E102198FDB14DFA9C5809AEFBB6FF89344F248169E419AB355D730AD41CFA0

Function 072B03F0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91334bd99bc6a5a804d17c15afe1eeaee62cfa21072d2cc8e96b7e4e8136169
Instruction ID: a741db365890a812f81e07d07c889784883104189c48b1d307139ea117152924
Opcode Fuzzy Hash: e91334bd99bc6a5a804d17c15afe1eeaee62cfa21072d2cc8e96b7e4e8136169
Instruction Fuzzy Hash: B0D10731D10B5A8ADB01EB64D950A99B7B1FFD5300F20D79AE10937224FB706AD9CB81

Function 00F3D5B4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726693911.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be596f3fbf578d10cfe9dbf84010fca45b5c3e2b43140f8d3255cb69333c62c2
Instruction ID: 77db29cf48e1e7f2c57b47522931a1d9e5706dd9f361af1780d6fa856efa699b
Opcode Fuzzy Hash: be596f3fbf578d10cfe9dbf84010fca45b5c3e2b43140f8d3255cb69333c62c2
Instruction Fuzzy Hash: 6AA1BE72E002098FCF09DFB4D8445DEB7B2FF89320F15456AE805AB262DB35E955DB90

Function 072B0400 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f63f645d8ff5802db927705d45d28eb4513e7f194a1c05200bce5a14af6165
Instruction ID: f33f917e5bef4643f1d83ed7567d74cbf419d9490e823246edb0ca5219b8ae7c
Opcode Fuzzy Hash: 18f63f645d8ff5802db927705d45d28eb4513e7f194a1c05200bce5a14af6165
Instruction Fuzzy Hash: 9FD1F635D10B5A8ADB11EFA4D950A99B7B1FFD5300F20D79AE10937224FB706AD9CB80

Function 072BA530 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851baffc1e1e29bba129856197e3ed444059a36cdfa7976130128f06217a274f
Instruction ID: 5f09614482ffb24bbe8f4fb56a79465999512373ed57ca037e8f69efd0f474fa
Opcode Fuzzy Hash: 851baffc1e1e29bba129856197e3ed444059a36cdfa7976130128f06217a274f
Instruction Fuzzy Hash: 515129B0E102198FDB24CFA9C5805AEFBB2FF89340F24C169D418AB355DB309941CFA1

Function 072BAEE1 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734164323.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96dac3b0134b56218aabac237a1457060f48265324a12bb61d17ef10f57d4a4c
Instruction ID: 5c03ab1bb462ed06e20822411c04ec2c655933016396ab9e5f7fed80f742a5ba
Opcode Fuzzy Hash: 96dac3b0134b56218aabac237a1457060f48265324a12bb61d17ef10f57d4a4c
Instruction Fuzzy Hash: 005106B4E106198FDB14DFA9C5809AEFBB2FF89344F24816AD418AB355D731A942CF60

Analysis Process: Quote 40240333-REV2.exePID: 8144, Parent PID: 7920COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	5

Executed Functions

Function 02B5BEC0 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B5BF4E
GetCurrentThread.KERNEL32 ref: 02B5BF8B
GetCurrentProcess.KERNEL32 ref: 02B5BFC8
GetCurrentThreadId.KERNEL32 ref: 02B5C021

Memory Dump Source

Source File: 00000006.00000002.2942745713.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Quote 40240333-REV2.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 73ccb3b343ce297100b65723a86b23836b1cff2661be36c6f296eb22c91fd74e
Instruction ID: fd3df2c31dba0909a530755e2e1e59e9a80e0902522c8778db9b9b30c284d3bb
Opcode Fuzzy Hash: 73ccb3b343ce297100b65723a86b23836b1cff2661be36c6f296eb22c91fd74e
Instruction Fuzzy Hash: 285175B09003498FDB15DFA9D548BAEBFF1EF48304F208499E409A73A0DB395988CF65

Function 02B5BED0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B5BF4E
GetCurrentThread.KERNEL32 ref: 02B5BF8B
GetCurrentProcess.KERNEL32 ref: 02B5BFC8
GetCurrentThreadId.KERNEL32 ref: 02B5C021

Memory Dump Source

Source File: 00000006.00000002.2942745713.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Quote 40240333-REV2.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a3a2259cd74a3d428d7d0b8461593387aee59f655afc5a6ec73373593f9dfdbd
Instruction ID: 3d674337855e3281d78d55f002c79adf1f9465e9d1a0ce16f42748dea345f26a
Opcode Fuzzy Hash: a3a2259cd74a3d428d7d0b8461593387aee59f655afc5a6ec73373593f9dfdbd
Instruction Fuzzy Hash: 635144B09003498FDB14DFA9D548BAEBFF5EF48314F208599E409A7390DB355984CF65

Function 065F3D88 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2946496528.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65f0000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbaf92a1915612c75d448693a407fde01cfc891d4a5e89f61be150101704fa5
Instruction ID: 594cf6d37bf6edc0db7e4881f2401f36aeaa52054a76d37a981c71958cbaedb8
Opcode Fuzzy Hash: cbbaf92a1915612c75d448693a407fde01cfc891d4a5e89f61be150101704fa5
Instruction Fuzzy Hash: 24413331E143999FCB00CFB9D81069EBFF5EF8A210F0585AAE544E7281DB349945CBE1

Function 02B5C110 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B5C19F

Memory Dump Source

Source File: 00000006.00000002.2942745713.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Quote 40240333-REV2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b36c3b904c88fd5f004fad104a276c8e2b1e127fb40284d52a78b13f4fcbe14c
Instruction ID: ab8332eea87115f7aa5dbaa991519132a8cc12aca1142bbc53ef61ee2dd557bb
Opcode Fuzzy Hash: b36c3b904c88fd5f004fad104a276c8e2b1e127fb40284d52a78b13f4fcbe14c
Instruction Fuzzy Hash: A82105B59003089FDB10CFA9D884ADEBFF5EB48310F10805AE918A7350D374A944CFA0

Function 02B5C118 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B5C19F

Memory Dump Source

Source File: 00000006.00000002.2942745713.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Quote 40240333-REV2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 61c7887548ba513a63d68b1c9a798d491306f253526e73a359c550d487cbbd34
Instruction ID: eb6e7c43d6083f1538959277215d8f7409091b9695a850e3d3575edf0ce10a49
Opcode Fuzzy Hash: 61c7887548ba513a63d68b1c9a798d491306f253526e73a359c550d487cbbd34
Instruction Fuzzy Hash: 9621E4B59003089FDB10CFAAD984ADEBFF5EB48310F14805AE918A7350D374A944CFA5

Function 065F3E70 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 065F3ED7

Memory Dump Source

Source File: 00000006.00000002.2946496528.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_65f0000_Quote 40240333-REV2.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f258a4fd5f0a04c41c567ff1bbd17c41c6a07b4166214a56e5a8916e00bf04ed
Instruction ID: e194ebc17861aec52552061ad0f5aaa821c331f0a0f66c7dd98a11ebc5f63327
Opcode Fuzzy Hash: f258a4fd5f0a04c41c567ff1bbd17c41c6a07b4166214a56e5a8916e00bf04ed
Instruction Fuzzy Hash: 4E1112B1C0025A9BCB10DF9AC844ADEFBF4BF48320F11812AD918A7240D378A944CFA5

Function 0298D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2942237985.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_298d000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef48c7be6a17c73036b2c0b13c87920e5979034b8cfa5d2923a5d17fabf0842
Instruction ID: 38b0b873de0c4ad4f6c2a9f94ab35be00c97a3764918bd3ccec4462b88e134cd
Opcode Fuzzy Hash: 6ef48c7be6a17c73036b2c0b13c87920e5979034b8cfa5d2923a5d17fabf0842
Instruction Fuzzy Hash: C921D375604204DFDB14EF24D984B26BBA5EB84314F28C96DD80A4B386C33AD407CA71

Function 0298D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2942237985.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_298d000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b65b1588ab8f6d5fd8dcac5c33fd3c31a6017e3885ca354a492ae66306fc2f
Instruction ID: 9a432eb70aa07557f8a7a97e20776d8793ee6b1e50e82cf07c636de1f8edeb7c
Opcode Fuzzy Hash: f5b65b1588ab8f6d5fd8dcac5c33fd3c31a6017e3885ca354a492ae66306fc2f
Instruction Fuzzy Hash: 5B2181755093C08FDB12DF24D994715BF71EB46214F28C5DAD8898F6A7C33AD80ACB62

Function 0297D628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2942158609.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_297d000_Quote 40240333-REV2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1179505cdec67904f89a283f81bd4c4ef81cbf21b33d0b9fe5a6771eaa4e6e47
Instruction ID: 10a72ebb2d50fb788222971038ff6abedb6fb5c6cd40f5dac823cfe6fdd3b193
Opcode Fuzzy Hash: 1179505cdec67904f89a283f81bd4c4ef81cbf21b33d0b9fe5a6771eaa4e6e47
Instruction Fuzzy Hash: 8BF062724043449AEB208A16DC88B66FF9CEF55739F18C55AED4C4A296C3799844CAB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quote 40240333-REV2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote 40240333-REV2.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga1f4x0u.tdp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gswqkygp.w3f.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hx1gh5ii.2sv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_viszymfn.qth.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
Quote 40240333-REV2.exe

Function 00F3CBC8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 072BB669 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 072BB670 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00F3590D Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 00F344C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 072BB3E0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 072BB3E8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 072BB4D1 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 072BAE10 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Function 072BAE18 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre