Edit tour

Windows Analysis Report
Quote5000AFC.exe

Overview

General Information

Sample name:	Quote5000AFC.exe
Analysis ID:	1563893
MD5:	bccc527001dea5e250fad96acebf5384
SHA1:	0e5bedec2bd6c58a0852b4d26fdc2fa7b572ca25
SHA256:	3420372e13d30995161a73ca1b87f59273f2e9986e6763b87527d91ed53df8ce
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Quote5000AFC.exe (PID: 2656 cmdline: "C:\Users\user\Desktop\Quote5000AFC.exe" MD5: BCCC527001DEA5E250FAD96ACEBF5384)

powershell.exe (PID: 7192 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7456 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

Quote5000AFC.exe (PID: 7208 cmdline: "C:\Users\user\Desktop\Quote5000AFC.exe" MD5: BCCC527001DEA5E250FAD96ACEBF5384)

Quote5000AFC.exe (PID: 7232 cmdline: "C:\Users\user\Desktop\Quote5000AFC.exe" MD5: BCCC527001DEA5E250FAD96ACEBF5384)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2575203974.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1365517349.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2573458565.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2575203974.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2575203974.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quote5000AFC.exe PID: 2656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quote5000AFC.exe PID: 7232	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quote5000AFC.exe PID: 7232	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Quote5000AFC.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote5000AFC.exe.7ab0000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quote5000AFC.exe.7ab0000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quote5000AFC.exe.45ffed0.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote5000AFC.exe.4628ef0.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote5000AFC.exe.44238a0.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quote5000AFC.exe.4628ef0.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10e89:$s1: file:/// 0x10de5:$s2: {11111-22222-10009-11112} 0x10e19:$s3: {11111-22222-50001-00000} 0xf1b3:$s4: get_Module 0xaf5c8:$s5: Reverse 0x2010f0:$s5: Reverse 0x22a110:$s5: Reverse 0xb0c38:$s6: BlockCopy 0x202760:$s6: BlockCopy 0x22b780:$s6: BlockCopy 0xaf76e:$s7: ReadByte 0x201296:$s7: ReadByte 0x22a2b6:$s7: ReadByte 0x10e9b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote5000AFC.exe", ParentImage: C:\Users\user\Desktop\Quote5000AFC.exe, ParentProcessId: 2656, ParentProcessName: Quote5000AFC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe", ProcessId: 7192, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 199.79.62.115, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quote5000AFC.exe, Initiated: true, ProcessId: 7232, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49726

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote5000AFC.exe", ParentImage: C:\Users\user\Desktop\Quote5000AFC.exe, ParentProcessId: 2656, ParentProcessName: Quote5000AFC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe", ProcessId: 7192, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:05:06.304898+0100	2030171	1	A Network Trojan was detected	192.168.2.9	49726	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:05:21.589380+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49726	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:05:21.589380+0100	2855245	1	A Network Trojan was detected	192.168.2.9	49726	199.79.62.115	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:05:06.304898+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.9	49726	199.79.62.115	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:05:06.304898+0100	2840032	1	A Network Trojan was detected	192.168.2.9	49726	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: Quote5000AFC.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Quote5000AFC.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: /log.tmp
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>[
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ]<br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Time:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IP Address:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: New
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IP Address:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: *o9H+18Q4%;M
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: false
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: appdata
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: KTvkzEc.exe
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Type
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <b>[
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ]</b> (
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: )<br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {BACK}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {TAB}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {ESC}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {Win}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {DEL}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {END}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {HOME}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {Insert}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {NumLock}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {PageDown}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {PageUp}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {ENTER}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F1}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F2}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F3}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F4}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F5}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F6}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F7}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F8}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F9}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F10}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F11}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {F12}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: control
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {CTRL}
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: &
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: >
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: "
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: logins
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IE/Edge
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Web Credentials
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SchemaId
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pResourceElement
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pPackageSid
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IE/Edge
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UC Browser
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Login Data
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: journal
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: wow_logins
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <array>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <dict>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <string>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </string>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <string>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </string>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <data>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </data>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: credential
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: QQ Browser
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Profile
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: entries
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: category
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: str3
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: str2
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: blob0
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: password_value
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IncrediMail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PopPassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PopPassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SmtpServer
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: EmailAddress
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Eudora
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: current
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Settings
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Settings
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: profiles.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: profiles.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: autofill
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ClawsMail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \clawsrc
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \clawsrc
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passkey0
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \accountrc
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: smtp_server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: address
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: account
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Flock Browser
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: signons3.txt
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: DynDns
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: username=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: password=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: global
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: accounts
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: account.
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: username
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: account.
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: name
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: OpenVPN
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: username
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: auth-data
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: entropy
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: remote
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: remote
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: user.config
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \account.json
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: FileZilla
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Server>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Host>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Host>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </Host>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Port>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </Port>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <User>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <User>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </User>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </Pass>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Pass>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </Pass>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: CoreFTP
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: User
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Host
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Port
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: WinSCP
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: HostName
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UserName
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PortNumber
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: WinSCP
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ABCDEF
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Flash FXP
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: port
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: user
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pass
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: quick.dat
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Sites.dat
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: No Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: User
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SmartFTP
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: WS_FTP
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: appdata
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: HOST
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PWD=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PWD=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: FtpCommander
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;Password=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;User=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;Server=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;Port=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;Port=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;Password=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;User=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: FTPGetter
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server_ip>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server_ip>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </server_ip>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server_port>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </server_port>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: FTPGetter
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: The Bat!
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: appdata
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \The Bat!
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Becky!
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: DataDir
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Folder.lst
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Account
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PassWd
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Account
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SMTPServer
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Account
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: MailAddress
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Becky!
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Outlook
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Email
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IMAP Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: POP3 Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: HTTP Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SMTP Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Email
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Email
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Email
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IMAP Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: POP3 Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: HTTP Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SMTP Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Email
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SchemaId
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pResourceElement
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pPackageSid
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: syncpassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: FoxMail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Executable
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Storage\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Storage\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Account.stg
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Account.stg
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: POP3Host
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SMTPHost
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: IncomingServer
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Account
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: MailAddress
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: POP3Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Opera Mail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: opera:
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PocoMail
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: appdata
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Email
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: POPPass
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SMTPPass
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SMTP
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: eM Client
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: eM Client
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: "Username":"
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: "Secret":"
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Mailbird
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Server_Host
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Email
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Username
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Mailbird
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: TightVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: TightVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ControlPassword
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: TigerVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Password
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: JDownloader 2.0
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Paltalk
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack	String decryptor: nickname

Source: Quote5000AFC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quote5000AFC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: PglK.pdb source: Quote5000AFC.exe
Source:	Binary string: PglK.pdbSHA256 source: Quote5000AFC.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.9:49726 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49726 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.9:49726 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.9:49726 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.9:49726 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.9:49726 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: global traffic

TCP traffic: 192.168.2.9:49726 -> 199.79.62.115:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: Quote5000AFC.exe, 00000006.00000002.2575203974.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mbarieservicesltd.com
Source: Quote5000AFC.exe, 00000000.00000002.1345226496.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quote5000AFC.exe	String found in binary or memory: https://cdn.pixabay.com/photo/2017/02/12/21/29/false-2061132_640.png

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE

Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large strings

Source: Quote5000AFC.exe, frmBandaMusical.cs

Long String: Length: 144230

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_057A4210	0_2_057A4210
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_057A6F93	0_2_057A6F93
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_057AD524	0_2_057AD524
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_05DAF3C0	0_2_05DAF3C0
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_05DAF3B0	0_2_05DAF3B0
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B24000	0_2_07B24000
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B20040	0_2_07B20040
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B2C7E8	0_2_07B2C7E8
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B2C7D8	0_2_07B2C7D8
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B285D8	0_2_07B285D8
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B2C3B0	0_2_07B2C3B0
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B2C38F	0_2_07B2C38F
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B20016	0_2_07B20016
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B2CC20	0_2_07B2CC20
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B2CC18	0_2_07B2CC18
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B2EC78	0_2_07B2EC78
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B23888	0_2_07B23888
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 0_2_07B23878	0_2_07B23878
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 6_2_01054140	6_2_01054140
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 6_2_01054D58	6_2_01054D58
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Code function: 6_2_01054488	6_2_01054488

Source: Quote5000AFC.exe, 00000000.00000002.1345226496.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000002.1343034718.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000002.1365517349.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000000.1328454408.0000000000F62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePglK.exeJ vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000002.1366386062.0000000008330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000000.00000002.1354643484.0000000004361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000006.00000002.2573905084.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000006.00000002.2573458565.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote5000AFC.exe
Source: Quote5000AFC.exe, 00000006.00000002.2573668937.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote5000AFC.exe
Source: Quote5000AFC.exe	Binary or memory string: OriginalFilenamePglK.exeJ vs Quote5000AFC.exe

Source: Quote5000AFC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 0.2.Quote5000AFC.exe.7ab0000.7.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, MBRLIrOJOUmispcUuY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, MBRLIrOJOUmispcUuY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, MBRLIrOJOUmispcUuY.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, IVQJXHcGfMIkGEGaNs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, IVQJXHcGfMIkGEGaNs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, MBRLIrOJOUmispcUuY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, MBRLIrOJOUmispcUuY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, MBRLIrOJOUmispcUuY.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/6@3/1

Source: C:\Users\user\Desktop\Quote5000AFC.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote5000AFC.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrllasph.01l.ps1

Jump to behavior

Source: Quote5000AFC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quote5000AFC.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Quote5000AFC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote5000AFC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote5000AFC.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quote5000AFC.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\Quote5000AFC.exe "C:\Users\user\Desktop\Quote5000AFC.exe"
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Users\user\Desktop\Quote5000AFC.exe "C:\Users\user\Desktop\Quote5000AFC.exe"
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Users\user\Desktop\Quote5000AFC.exe "C:\Users\user\Desktop\Quote5000AFC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Users\user\Desktop\Quote5000AFC.exe "C:\Users\user\Desktop\Quote5000AFC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Users\user\Desktop\Quote5000AFC.exe "C:\Users\user\Desktop\Quote5000AFC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quote5000AFC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Quote5000AFC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quote5000AFC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quote5000AFC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: PglK.pdb source: Quote5000AFC.exe
Source:	Binary string: PglK.pdbSHA256 source: Quote5000AFC.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Quote5000AFC.exe.7ab0000.7.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: Quote5000AFC.exe, frmBandaMusical.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, MBRLIrOJOUmispcUuY.cs	.Net Code: dkFaI1F8SS System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, MBRLIrOJOUmispcUuY.cs	.Net Code: dkFaI1F8SS System.Reflection.Assembly.Load(byte[])

Source: Quote5000AFC.exe

Static PE information: 0xEF6492E9 [Tue Apr 9 11:37:13 2097 UTC]

Source: Quote5000AFC.exe

Static PE information: section name: .text entropy: 6.879196879505944

Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, MrcCSIFFGhu09edDeBy.cs	High entropy of concatenated method names: 'LwJlT0DpqK', 'XSKlzpI0Nu', 'eUh2DUfZnX', 'z842FtQ3j6', 'bLj2QEm6GX', 'DdU2mP7SIP', 'LGA2aXkyrx', 'YcC2eydDmL', 'aZP2HmTW6m', 'Mjy2C0NQd1'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, GmT8GaV852P9OGORDm.cs	High entropy of concatenated method names: 'zsThcVpUtj', 'VwyhpKm8eO', 'QZBh0sQjc4', 'La1h4cMdlZ', 'vtvhKRA8M2', 'khPh60BtGp', 'SC7hjSnopy', 'CCYhsCiRCV', 'BVKh9y0oKo', 'xB6hufjXwv'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, HAJqRIqwTG1msecCBW.cs	High entropy of concatenated method names: 'JBmB1oF0yu', 'EnxBTn7ash', 'RgIfDwX68A', 'UtpfFPpUsA', 'erNBudr7Bc', 'Sp5ByK95HJ', 'BS5BVjHp1Y', 'LYfBPuXmRw', 'iHhBZ3Y7cf', 'frEBUXP0Vo'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, hWTjtvPnNpyVRBVAKQ.cs	High entropy of concatenated method names: 'mQbk97lIGV', 'iXxkycBjR3', 'pORkPfE31F', 'MqRkZ5bssQ', 'lHVk4H7EYl', 'MN5kiEchXC', 'gJokK3Fygt', 'BSyk6JRnCD', 'm5hkxWKJSc', 'wU7kjxfkLW'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, dj9GuuFDvluDaC6cPXr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'z6cluSFgwN', 'vMElyQpYv0', 'mSdlVRsrw7', 'UcVlPpCMTE', 'JYOlZhf0ud', 'UMslU8Zs82', 'd7ml38OBNs'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, BUiqY1U1mSaT3VyrUn.cs	High entropy of concatenated method names: 'ToString', 'aIdNubRK1x', 'RwUN4TZ2PJ', 'VjNNimwysL', 'PKiNKwZCCQ', 'c5nN6EeDNG', 'wQ6NxiSDim', 'GwgNjZ8GBS', 'Tm4Nsm4HBW', 'eXGNSR1oB9'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, qEPoPwQjNwUNRNE8qs.cs	High entropy of concatenated method names: 'i0rIUXV0f', 'ukSrR2M82', 'ws2AWAgg3', 'twKoyACb4', 'YsopdgJqW', 'jkstxwtXv', 'AEIIFSxHkZN2raq22H', 'AvFG0LDppHHL7w1mPq', 'n5MCZMJf2Iq5xaPDNy', 'sC5fZxPUR'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, x4HM03zulI9PpW9Djp.cs	High entropy of concatenated method names: 'KKslAaMSnF', 'a85lcP2Ix7', 'apHlpjtF2k', 'Hval0Lt2qZ', 'b4rl4maoQh', 'rVGlKy4hLV', 'YdCl6xZiDL', 'qpMl7OZsE5', 'mVUl5EEjr0', 'VoRlRosHH9'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, R7qHRpSHnHvgeyU4gN.cs	High entropy of concatenated method names: 'hSbw5NmSPW', 'AYMwRLmlYw', 'gj0wIEo2PW', 'IewwrK4gxW', 'OvNwLcpwHd', 'Q3cwAdwjMU', 'hlbwomHE3L', 'OfIwccKcxR', 'AumwpUubp3', 'yO1wtowC56'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, t1HU5dTF6iTiVBbq2V.cs	High entropy of concatenated method names: 'VTClYuvHwj', 'x7HlEnWrd3', 'QMklGPqDgs', 'o4VlwxegOE', 'osZl87rr1V', 'LQclOhmVOo', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, bQ4YycaBcm7k7OLG96.cs	High entropy of concatenated method names: 'GOKFwVQJXH', 'ifMFOIkGEG', 'PwqFgfVUG9', 'PkTFW5bxPX', 'BhvFkNVw7J', 'v7aFNX7Mys', 'qy878QKIE12fpEEc9N', 'ogcjkv5Hwa7F0YbOnB', 'uWvFF42ErH', 'dBLFmDsftY'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, w25ilsXauxfV9u6gZ1.cs	High entropy of concatenated method names: 'TK18k5bUiM', 'jVE8BNELec', 'HCi88Ck5m1', 'EhK82E4q5u', 'Ui08MuQd50', 'VET87GRkBc', 'Dispose', 'BSsfHxCF57', 'EvTfCLmXHW', 'LmYfYka2jn'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, SULNS7CAYMqmBmnKMl.cs	High entropy of concatenated method names: 'Dispose', 'KfVFd9u6gZ', 'pEPQ4udcYt', 'vORaEKBTuk', 'XbIFTg8CRf', 'lK4FzLQr2t', 'ProcessDialogKey', 'FIJQDO2oKW', 'OjaQFtHE1c', 'fVEQQ21HU5'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, NqPvxQYh55pJf2EeX3.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fe4QdrwSJH', 'FbwQTuO0Sk', 'av4QzPO3mL', 'wfomDDUDWL', 'dWimFdZmd4', 'PYEmQAeEmT', 'tXymm2wwO7', 'qUUFKrZZ8O7AYTXnBg2'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, OtX0TypwqfVUG9ykT5.cs	High entropy of concatenated method names: 'nv0Yrhrvqh', 'T9jYARrFiN', 'uIDYcuxcO3', 'ttNYpkk70X', 'IkEYkuxKF2', 'synYN9KB6W', 'JxiYBy1DmL', 'ksKYfrwfYx', 'XUFY8giR4V', 'bvXYlE37c2'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, wxPXQktKZSX0ZLhvNV.cs	High entropy of concatenated method names: 'GrmEL9ibUn', 'CGmEo6NPok', 'ltGYimSLPN', 'sRYYKawXjl', 'PpXY6GBrgs', 'pd3Yxj4RpI', 'UbrYjabVcl', 'U9gYsOgeFo', 'M4QYS7HPkU', 'aQrY9rkXVW'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, IVQJXHcGfMIkGEGaNs.cs	High entropy of concatenated method names: 'IhTCPI8KBC', 'QtoCZdbOkt', 'RrcCUEJ3v8', 'kf5C39dcW1', 'keSCnCAIkT', 'KPkCqoeLBL', 'WYNCXBZYIv', 'AqVC1QAxve', 'q48CdB0UpO', 'T08CTmV1tp'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, lO2oKWd9jatHE1cHVE.cs	High entropy of concatenated method names: 'A6n80bUou4', 'Qg584XO59D', 'XrA8irWB2S', 'sLd8KNZBWW', 'hcI864IUDD', 'v3h8xZRT2c', 'jr28jFW5D7', 'b8f8sj8aTV', 'pjx8S1C8B7', 'OtQ89074an'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, j7JM7a0X7Mys57wvmB.cs	High entropy of concatenated method names: 'HhEGeNj9tp', 'BX1GCmp0Wn', 'jfdGEXiBlh', 'YJJGwG2Ucl', 'jaHGOFh4kq', 'gYDEn3su3w', 'SRYEqDaYl9', 'nhBEXaNJDQ', 'z1HE19HIFp', 'XsoEdEUyGg'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, MBRLIrOJOUmispcUuY.cs	High entropy of concatenated method names: 'eRBme54uUv', 'khMmHvylMo', 'TAkmCq4obo', 'jxKmYROjek', 'zmmmEQ58qU', 'nvCmGP1fLq', 'fWemw5AcYq', 'eaFmONWCAA', 'AlBmJBQ7bx', 'Ibmmgn7boW'
Source: 0.2.Quote5000AFC.exe.43b0060.4.raw.unpack, RDcms2jdR90BSrlooh.cs	High entropy of concatenated method names: 'XeqwHwP14u', 'RLfwY5i07U', 'XKdwG3lkuF', 'uZcGTMl8wq', 'bBcGz8yqfC', 'v1awDqGVZd', 'UtIwFb1agO', 'bTbwQ9LSVv', 'ruLwmYQ9Ta', 'an2waoh0M4'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, MrcCSIFFGhu09edDeBy.cs	High entropy of concatenated method names: 'LwJlT0DpqK', 'XSKlzpI0Nu', 'eUh2DUfZnX', 'z842FtQ3j6', 'bLj2QEm6GX', 'DdU2mP7SIP', 'LGA2aXkyrx', 'YcC2eydDmL', 'aZP2HmTW6m', 'Mjy2C0NQd1'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, GmT8GaV852P9OGORDm.cs	High entropy of concatenated method names: 'zsThcVpUtj', 'VwyhpKm8eO', 'QZBh0sQjc4', 'La1h4cMdlZ', 'vtvhKRA8M2', 'khPh60BtGp', 'SC7hjSnopy', 'CCYhsCiRCV', 'BVKh9y0oKo', 'xB6hufjXwv'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, HAJqRIqwTG1msecCBW.cs	High entropy of concatenated method names: 'JBmB1oF0yu', 'EnxBTn7ash', 'RgIfDwX68A', 'UtpfFPpUsA', 'erNBudr7Bc', 'Sp5ByK95HJ', 'BS5BVjHp1Y', 'LYfBPuXmRw', 'iHhBZ3Y7cf', 'frEBUXP0Vo'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, hWTjtvPnNpyVRBVAKQ.cs	High entropy of concatenated method names: 'mQbk97lIGV', 'iXxkycBjR3', 'pORkPfE31F', 'MqRkZ5bssQ', 'lHVk4H7EYl', 'MN5kiEchXC', 'gJokK3Fygt', 'BSyk6JRnCD', 'm5hkxWKJSc', 'wU7kjxfkLW'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, dj9GuuFDvluDaC6cPXr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'z6cluSFgwN', 'vMElyQpYv0', 'mSdlVRsrw7', 'UcVlPpCMTE', 'JYOlZhf0ud', 'UMslU8Zs82', 'd7ml38OBNs'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, BUiqY1U1mSaT3VyrUn.cs	High entropy of concatenated method names: 'ToString', 'aIdNubRK1x', 'RwUN4TZ2PJ', 'VjNNimwysL', 'PKiNKwZCCQ', 'c5nN6EeDNG', 'wQ6NxiSDim', 'GwgNjZ8GBS', 'Tm4Nsm4HBW', 'eXGNSR1oB9'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, qEPoPwQjNwUNRNE8qs.cs	High entropy of concatenated method names: 'i0rIUXV0f', 'ukSrR2M82', 'ws2AWAgg3', 'twKoyACb4', 'YsopdgJqW', 'jkstxwtXv', 'AEIIFSxHkZN2raq22H', 'AvFG0LDppHHL7w1mPq', 'n5MCZMJf2Iq5xaPDNy', 'sC5fZxPUR'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, x4HM03zulI9PpW9Djp.cs	High entropy of concatenated method names: 'KKslAaMSnF', 'a85lcP2Ix7', 'apHlpjtF2k', 'Hval0Lt2qZ', 'b4rl4maoQh', 'rVGlKy4hLV', 'YdCl6xZiDL', 'qpMl7OZsE5', 'mVUl5EEjr0', 'VoRlRosHH9'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, R7qHRpSHnHvgeyU4gN.cs	High entropy of concatenated method names: 'hSbw5NmSPW', 'AYMwRLmlYw', 'gj0wIEo2PW', 'IewwrK4gxW', 'OvNwLcpwHd', 'Q3cwAdwjMU', 'hlbwomHE3L', 'OfIwccKcxR', 'AumwpUubp3', 'yO1wtowC56'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, t1HU5dTF6iTiVBbq2V.cs	High entropy of concatenated method names: 'VTClYuvHwj', 'x7HlEnWrd3', 'QMklGPqDgs', 'o4VlwxegOE', 'osZl87rr1V', 'LQclOhmVOo', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, bQ4YycaBcm7k7OLG96.cs	High entropy of concatenated method names: 'GOKFwVQJXH', 'ifMFOIkGEG', 'PwqFgfVUG9', 'PkTFW5bxPX', 'BhvFkNVw7J', 'v7aFNX7Mys', 'qy878QKIE12fpEEc9N', 'ogcjkv5Hwa7F0YbOnB', 'uWvFF42ErH', 'dBLFmDsftY'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, w25ilsXauxfV9u6gZ1.cs	High entropy of concatenated method names: 'TK18k5bUiM', 'jVE8BNELec', 'HCi88Ck5m1', 'EhK82E4q5u', 'Ui08MuQd50', 'VET87GRkBc', 'Dispose', 'BSsfHxCF57', 'EvTfCLmXHW', 'LmYfYka2jn'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, SULNS7CAYMqmBmnKMl.cs	High entropy of concatenated method names: 'Dispose', 'KfVFd9u6gZ', 'pEPQ4udcYt', 'vORaEKBTuk', 'XbIFTg8CRf', 'lK4FzLQr2t', 'ProcessDialogKey', 'FIJQDO2oKW', 'OjaQFtHE1c', 'fVEQQ21HU5'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, NqPvxQYh55pJf2EeX3.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fe4QdrwSJH', 'FbwQTuO0Sk', 'av4QzPO3mL', 'wfomDDUDWL', 'dWimFdZmd4', 'PYEmQAeEmT', 'tXymm2wwO7', 'qUUFKrZZ8O7AYTXnBg2'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, OtX0TypwqfVUG9ykT5.cs	High entropy of concatenated method names: 'nv0Yrhrvqh', 'T9jYARrFiN', 'uIDYcuxcO3', 'ttNYpkk70X', 'IkEYkuxKF2', 'synYN9KB6W', 'JxiYBy1DmL', 'ksKYfrwfYx', 'XUFY8giR4V', 'bvXYlE37c2'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, wxPXQktKZSX0ZLhvNV.cs	High entropy of concatenated method names: 'GrmEL9ibUn', 'CGmEo6NPok', 'ltGYimSLPN', 'sRYYKawXjl', 'PpXY6GBrgs', 'pd3Yxj4RpI', 'UbrYjabVcl', 'U9gYsOgeFo', 'M4QYS7HPkU', 'aQrY9rkXVW'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, IVQJXHcGfMIkGEGaNs.cs	High entropy of concatenated method names: 'IhTCPI8KBC', 'QtoCZdbOkt', 'RrcCUEJ3v8', 'kf5C39dcW1', 'keSCnCAIkT', 'KPkCqoeLBL', 'WYNCXBZYIv', 'AqVC1QAxve', 'q48CdB0UpO', 'T08CTmV1tp'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, lO2oKWd9jatHE1cHVE.cs	High entropy of concatenated method names: 'A6n80bUou4', 'Qg584XO59D', 'XrA8irWB2S', 'sLd8KNZBWW', 'hcI864IUDD', 'v3h8xZRT2c', 'jr28jFW5D7', 'b8f8sj8aTV', 'pjx8S1C8B7', 'OtQ89074an'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, j7JM7a0X7Mys57wvmB.cs	High entropy of concatenated method names: 'HhEGeNj9tp', 'BX1GCmp0Wn', 'jfdGEXiBlh', 'YJJGwG2Ucl', 'jaHGOFh4kq', 'gYDEn3su3w', 'SRYEqDaYl9', 'nhBEXaNJDQ', 'z1HE19HIFp', 'XsoEdEUyGg'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, MBRLIrOJOUmispcUuY.cs	High entropy of concatenated method names: 'eRBme54uUv', 'khMmHvylMo', 'TAkmCq4obo', 'jxKmYROjek', 'zmmmEQ58qU', 'nvCmGP1fLq', 'fWemw5AcYq', 'eaFmONWCAA', 'AlBmJBQ7bx', 'Ibmmgn7boW'
Source: 0.2.Quote5000AFC.exe.8330000.8.raw.unpack, RDcms2jdR90BSrlooh.cs	High entropy of concatenated method names: 'XeqwHwP14u', 'RLfwY5i07U', 'XKdwG3lkuF', 'uZcGTMl8wq', 'bBcGz8yqfC', 'v1awDqGVZd', 'UtIwFb1agO', 'bTbwQ9LSVv', 'ruLwmYQ9Ta', 'an2waoh0M4'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Quote5000AFC.exe PID: 2656, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quote5000AFC.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 99A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 84E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: A9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: B9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6306	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2702	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Window / User API: threadDelayed 3110	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Window / User API: threadDelayed 6676	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 5112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7428	Thread sleep count: 3110 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7428	Thread sleep count: 6676 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -99076s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98947s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98684s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98570s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98260s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98135s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97684s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -97030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -96094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -95093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94982s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe TID: 7440	Thread sleep time: -94188s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quote5000AFC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote5000AFC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99405	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 99076	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98947	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98684	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98570	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98260	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98135	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97684	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 97030	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96813	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96688	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96563	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96438	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 96094	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95547	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95438	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95313	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 95093	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94982	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94875	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94766	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94641	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94531	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94422	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94313	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Thread delayed: delay time: 94188	Jump to behavior

Source: Quote5000AFC.exe, 00000000.00000002.1343034718.00000000014E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\I,
Source: Quote5000AFC.exe, 00000006.00000002.2573905084.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe"
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Memory written: C:\Users\user\Desktop\Quote5000AFC.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Users\user\Desktop\Quote5000AFC.exe "C:\Users\user\Desktop\Quote5000AFC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Process created: C:\Users\user\Desktop\Quote5000AFC.exe "C:\Users\user\Desktop\Quote5000AFC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Users\user\Desktop\Quote5000AFC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Users\user\Desktop\Quote5000AFC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Quote5000AFC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.45ffed0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.4628ef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.4628ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2573458565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.2575203974.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2575203974.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote5000AFC.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Quote5000AFC.exe.7ab0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.7ab0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.44238a0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1365517349.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quote5000AFC.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quote5000AFC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quote5000AFC.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quote5000AFC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Quote5000AFC.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2575203974.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote5000AFC.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Quote5000AFC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.45ffed0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.4628ef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.4628ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.45ffed0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2573458565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.2575203974.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2575203974.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote5000AFC.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Quote5000AFC.exe.7ab0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.7ab0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.44238a0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1365517349.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.Quote5000AFC.exe.44238a0.6.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quote5000AFC.exe	34%	ReversingLabs
Quote5000AFC.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high
mail.mbarieservicesltd.com	199.79.62.115	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quote5000AFC.exe, 00000000.00000002.1345226496.0000000003361000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.pixabay.com/photo/2017/02/12/21/29/false-2061132_640.png	Quote5000AFC.exe	false	high
http://mail.mbarieservicesltd.com	Quote5000AFC.exe, 00000006.00000002.2575203974.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563893
Start date and time:	2024-11-27 16:04:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quote5000AFC.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/6@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 103 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Quote5000AFC.exe

Simulations

Behavior and APIs

Time	Type	Description
10:05:11	API Interceptor	62x Sleep call for process: Quote5000AFC.exe modified
10:05:13	API Interceptor	14x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse
	LPO24.0524.exe	Get hash	malicious	AgentTesla	Browse
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	24-17745.exe	Get hash	malicious	AgentTesla	Browse
	PO# 4507573387.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO24.0524.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
s-part-0035.t-0009.t-msedge.net	file.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.dll	Get hash	malicious	StormKitty	Browse	13.107.246.63
	file.dll	Get hash	malicious	RDPWrap Tool	Browse	13.107.246.63
	file.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://multikultural.az/web/v2/index.php?query=bWVubmVuQHNlbmlvcnNvbHV0aW9uc3Z0Lm9yZw==	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	shipping doc -GY298035826.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.63.24
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.63.24
	https://www.google.com.bn/url?snf=vpsBrmjsMjZT0YKBELze&nuu=B4grUxP5T5pV5xJiiFp0&sa=t&ndg=e2p4qPDSQqlwr77oflqr&pdbr=npO0StsDFHvGF7jwYfWY&np=slEjuRPdabbflvaXgHau&cb=IhzFYfcuqq5m2vva4DTH&url=amp%2Fbeutopiantech.com%2Fchd%2FroghgehdjtiE-SURECHDDam9lbC5kZW5vZnJpb0BoYW5lc2NvbXBhbmllcy5jb20=	Get hash	malicious	Unknown	Browse	103.211.216.144
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	DOCS.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	Ksciarillo_Reord_Adjustment.docx	Get hash	malicious	Unknown	Browse	208.91.198.81
	Ksciarillo_Reord_Adjustment.docx	Get hash	malicious	Unknown	Browse	208.91.198.81

Process:	C:\Users\user\Desktop\Quote5000AFC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3797706053345555
Encrypted:	false
SSDEEP:	48:fWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:fLHxv2IfLZ2KRH6Oug8s
MD5:	9FF3AC33DFACF1D94AB100EAED9F43DF
SHA1:	EFE2AD786E0EE6208CE0353B5E1B3BF530C37508
SHA-256:	A94507C64061985F19C9C30947B00BC871FA8754D885979B5127094AA46D794D
SHA-512:	E2166B321C3546C88698F6B781FEF640E394890E53D43C75EA3A8AED0FA934BC3C2B8DA816296C9BE04947374C1CB87B84FCEF535EED45B44AED7854E5CAD6FA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ncsqrif.sd5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0ylyocw.woh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vys4gmwa.to5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrllasph.01l.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.870217416950456
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quote5000AFC.exe
File size:	803'328 bytes
MD5:	bccc527001dea5e250fad96acebf5384
SHA1:	0e5bedec2bd6c58a0852b4d26fdc2fa7b572ca25
SHA256:	3420372e13d30995161a73ca1b87f59273f2e9986e6763b87527d91ed53df8ce
SHA512:	4c86fe6572e4e6f9cdaf4344d99319536a930ad0f71e26d5e9e0083f33a3a5ab6230f57d60aaf3661e7934c2ba264e17658bdde9d4ebcf6154d93a0fedc3b0eb
SSDEEP:	12288:bEe72hGuoY75cxtK+Bax/ep63FHWhOEhzctdps:bEeKGuoY7mxPwWywEi8
TLSH:	8605933E19B9622BB1B5C7A5EBE48527F07096EFF111AD64D4EB436A4302A0374C327D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d...............0..6..........VT... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c5456
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEF6492E9 [Tue Apr 9 11:37:13 2097 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F0A00B985F2h
je 00007F0A00B985F2h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F0A00B985F2h
imul eax, dword ptr [eax], 00610076h
je 00007F0A00B985F2h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc5402	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0x644	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc409c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc347c	0xc3600	cf8256c5b922cdffaea4bfeba2e0f107	False	0.686491572696737	data	6.879196879505944	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc6000	0x644	0x800	2822824634e02b4fe8bad4736fe40b67	False	0.34130859375	data	3.4967727751670847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc8000	0xc	0x200	c637f67512869dda1bd2f13e987e7a2b	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc6090	0x3b4	data			0.41350210970464135
RT_MANIFEST	0xc6454	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-27T16:05:06.304898+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.9	49726	199.79.62.115	587	TCP
2024-11-27T16:05:06.304898+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.9	49726	199.79.62.115	587	TCP
2024-11-27T16:05:06.304898+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.9	49726	199.79.62.115	587	TCP
2024-11-27T16:05:21.589380+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.9	49726	199.79.62.115	587	TCP
2024-11-27T16:05:21.589380+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49726	199.79.62.115	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 16:05:17.632270098 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:17.752438068 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:17.752552986 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:19.000374079 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:19.004389048 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:19.130712032 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:19.398833036 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:19.399895906 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:19.520391941 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:19.786305904 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:19.787197113 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:19.907195091 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:20.334711075 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:20.334955931 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:20.456069946 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:20.765384912 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:20.765549898 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:20.886327028 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:21.202647924 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:21.202794075 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:21.322765112 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:21.588756084 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:21.589298010 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:21.589380026 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:21.589400053 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:21.589420080 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:05:21.709367990 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:21.709398985 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:21.709527969 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:21.709538937 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:22.080909967 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:05:22.131937981 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:06:55.144081116 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:06:55.264403105 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:06:55.754266024 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:06:55.754298925 CET	587	49726	199.79.62.115	192.168.2.9
Nov 27, 2024 16:06:55.754358053 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:06:55.754538059 CET	49726	587	192.168.2.9	199.79.62.115
Nov 27, 2024 16:06:55.874423027 CET	587	49726	199.79.62.115	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 16:05:15.136177063 CET	60411	53	192.168.2.9	1.1.1.1
Nov 27, 2024 16:05:16.168699026 CET	60411	53	192.168.2.9	1.1.1.1
Nov 27, 2024 16:05:17.163532019 CET	60411	53	192.168.2.9	1.1.1.1
Nov 27, 2024 16:05:17.610857964 CET	53	60411	1.1.1.1	192.168.2.9
Nov 27, 2024 16:05:17.610868931 CET	53	60411	1.1.1.1	192.168.2.9
Nov 27, 2024 16:05:17.610879898 CET	53	60411	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2024 16:05:15.136177063 CET	192.168.2.9	1.1.1.1	0xb735	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:05:16.168699026 CET	192.168.2.9	1.1.1.1	0xb735	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:05:17.163532019 CET	192.168.2.9	1.1.1.1	0xb735	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 27, 2024 16:05:09.324475050 CET	1.1.1.1	192.168.2.9	0x7bd1	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 27, 2024 16:05:09.324475050 CET	1.1.1.1	192.168.2.9	0x7bd1	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:05:17.610857964 CET	1.1.1.1	192.168.2.9	0xb735	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:05:17.610868931 CET	1.1.1.1	192.168.2.9	0xb735	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:05:17.610879898 CET	1.1.1.1	192.168.2.9	0xb735	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 27, 2024 16:05:19.000374079 CET	587	49726	199.79.62.115	192.168.2.9	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 27 Nov 2024 20:35:18 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2024 16:05:19.004389048 CET	49726	587	192.168.2.9	199.79.62.115	EHLO 651689
Nov 27, 2024 16:05:19.398833036 CET	587	49726	199.79.62.115	192.168.2.9	250-md-54.webhostbox.net Hello 651689 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 27, 2024 16:05:19.399895906 CET	49726	587	192.168.2.9	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Nov 27, 2024 16:05:19.786305904 CET	587	49726	199.79.62.115	192.168.2.9	334 UGFzc3dvcmQ6
Nov 27, 2024 16:05:20.334711075 CET	587	49726	199.79.62.115	192.168.2.9	235 Authentication succeeded
Nov 27, 2024 16:05:20.334955931 CET	49726	587	192.168.2.9	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Nov 27, 2024 16:05:20.765384912 CET	587	49726	199.79.62.115	192.168.2.9	250 OK
Nov 27, 2024 16:05:20.765549898 CET	49726	587	192.168.2.9	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Nov 27, 2024 16:05:21.202647924 CET	587	49726	199.79.62.115	192.168.2.9	250 Accepted
Nov 27, 2024 16:05:21.202794075 CET	49726	587	192.168.2.9	199.79.62.115	DATA
Nov 27, 2024 16:05:21.588756084 CET	587	49726	199.79.62.115	192.168.2.9	354 Enter message, ending with "." on a line by itself
Nov 27, 2024 16:05:21.589420080 CET	49726	587	192.168.2.9	199.79.62.115	.
Nov 27, 2024 16:05:22.080909967 CET	587	49726	199.79.62.115	192.168.2.9	250 OK id=1tGJbV-003PRx-1B
Nov 27, 2024 16:06:55.144081116 CET	49726	587	192.168.2.9	199.79.62.115	QUIT
Nov 27, 2024 16:06:55.754266024 CET	587	49726	199.79.62.115	192.168.2.9	221 md-54.webhostbox.net closing connection

Target ID:	0
Start time:	10:05:10
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\Quote5000AFC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote5000AFC.exe"
Imagebase:	0xf60000
File size:	803'328 bytes
MD5 hash:	BCCC527001DEA5E250FAD96ACEBF5384
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1365517349.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1354643484.0000000004423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:05:11
Start date:	27/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote5000AFC.exe"
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:05:11
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:05:11
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\Quote5000AFC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Quote5000AFC.exe"
Imagebase:	0x150000
File size:	803'328 bytes
MD5 hash:	BCCC527001DEA5E250FAD96ACEBF5384
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:05:11
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\Quote5000AFC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote5000AFC.exe"
Imagebase:	0x640000
File size:	803'328 bytes
MD5 hash:	BCCC527001DEA5E250FAD96ACEBF5384
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2575203974.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.2573458565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2575203974.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2575203974.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:05:15
Start date:	27/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	47
Total number of Limit Nodes:	2

Executed Functions

Function 07B20040 Relevance: 2.3, Strings: 1, Instructions: 1022
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<ov!, xrefs: 07B2043C

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID: <ov!
API String ID: 0-3980319286
Opcode ID: 898ccabce11387dfb66f1ce9ee096b23d96e8162e968dc1a302bde4113341321
Instruction ID: a80f611dda94649bb984697c54fb875bd78a36ba2e91581a4a39d12cf3588487
Opcode Fuzzy Hash: 898ccabce11387dfb66f1ce9ee096b23d96e8162e968dc1a302bde4113341321
Instruction Fuzzy Hash: A9B2C174A01229CFDB64DF69C984AD9BBB2FF89300F1581E9D50DAB265DB319E81CF40

Function 07B24000 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8050ac5eb9434fb385cf628dc6c9d674508d2279cff02828d113ed95d7415c0
Instruction ID: 54e218beb21fc8fc3a4ca96357dec9b1295952626127ddafa131b0edd1113fb7
Opcode Fuzzy Hash: f8050ac5eb9434fb385cf628dc6c9d674508d2279cff02828d113ed95d7415c0
Instruction Fuzzy Hash: E07114B0D16229CFEB14CFA9C5446EEBBB6FB8A300F20906AD41EA7651D7345D82DF40

Function 05DAF3B0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b66be2e792db355e95fa6bdc2efce43b24672125127c138b88a889be6e167e
Instruction ID: b638e6a5a4ff17a30c83250328fe0fc6730c49852cffb0bd7dc76cb68ed458d4
Opcode Fuzzy Hash: 62b66be2e792db355e95fa6bdc2efce43b24672125127c138b88a889be6e167e
Instruction Fuzzy Hash: 1F611D75A1020ACFD748DF6AE8416AABBF7FB88304F14D56AD0049B365DF74A805CF91

Function 05DAF3C0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e6625b3243edb8c934e74f156c7cdc6be37636b8f7ee8b7835a1f8975215ba
Instruction ID: 0de510b2f2809d92d0f9676fdd845625ecbcc9128e98963ddc56578a8c022967
Opcode Fuzzy Hash: d2e6625b3243edb8c934e74f156c7cdc6be37636b8f7ee8b7835a1f8975215ba
Instruction Fuzzy Hash: F061FAB4A1020ACFD748DF6AE8456AABBF7FB88304F14D569D104AB364EF74A805CF51

Function 057A4210 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7113f06274533501f8b63cd339d8d48640fff2b7b97fdc23f951c7bfa428b505
Instruction ID: f665fe9d86921d52ed4ce21c08d17ad10fd56cff4baae48efb97b2735c59e85f
Opcode Fuzzy Hash: 7113f06274533501f8b63cd339d8d48640fff2b7b97fdc23f951c7bfa428b505
Instruction Fuzzy Hash: 9251A371E012189FDB09DFA9D894AEEBBB2FF8C300F148529D419BB264DB359941DF50

Function 057A6F93 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea1e4bc5c864a6b5f5d657648b8a1a158a67fd4581603a39fded9f888e1161c
Instruction ID: e547f92029308063e76ee08c10acddec8551c94cb550c0b5dccf679b8f645f8a
Opcode Fuzzy Hash: eea1e4bc5c864a6b5f5d657648b8a1a158a67fd4581603a39fded9f888e1161c
Instruction Fuzzy Hash: 6651B271E012089FDB09DFA9D894AEEBBF2FF88300F248529D419AB264DB359941DF50

Function 07B285D8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98012ec6c653e941120513bd0186c6f46f92d65f030ebdad4953f5bd2655415e
Instruction ID: fe8834187da0fb167b6d1f71e0ef0e698d4fef32c4622f96ad5cb9a63f9068cc
Opcode Fuzzy Hash: 98012ec6c653e941120513bd0186c6f46f92d65f030ebdad4953f5bd2655415e
Instruction Fuzzy Hash: 67411CB4D06218CFEB08DFA6C4446EEBBF6AF8A300F10906AD419AB364DB745946DF50

Function 07B2EB98 Relevance: 3.1, APIs: 2, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 07B2EB52
Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B2EC1E

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: Thread$ContextResumeWow64
String ID:
API String ID: 1826235168-0
Opcode ID: f9b94523a4e02560160fe9e9d237dc4184b33a5b50081341e5fe374f52aa1a15
Instruction ID: 2e11afb4f3ec621b2e7f27bf3a5e3390249a274e02ac3572d4a9f7b329ba6a35
Opcode Fuzzy Hash: f9b94523a4e02560160fe9e9d237dc4184b33a5b50081341e5fe374f52aa1a15
Instruction Fuzzy Hash: AB31B0B2904359CFEB10DFAAC4887DEFBF0EF48210F14846ED559A7241C7799545CBA1

Function 07B2F3EE Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B2F62E

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 68729d6e59f0c6c2c51244c7690002550d9f08635045ccf17c98519765b2750d
Instruction ID: f779f6cfd44590e581c83a60e9144b2db658037bc6f971276bb8668557dcd7da
Opcode Fuzzy Hash: 68729d6e59f0c6c2c51244c7690002550d9f08635045ccf17c98519765b2750d
Instruction Fuzzy Hash: 3CA14CB1D01229DFEB10CF68C840BEEBBB2EF48314F1485A9D809A7250D7749986DF91

Function 07B2F3F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B2F62E

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3e1f840ece33304a6a5a9c4da1335e06a17b2e574509242a86caa5e1995c2eb0
Instruction ID: 4588e16f0e03a19787e92e242ea8a4df8671d7798030e0061f39539c68062204
Opcode Fuzzy Hash: 3e1f840ece33304a6a5a9c4da1335e06a17b2e574509242a86caa5e1995c2eb0
Instruction Fuzzy Hash: 12914BB1D01329DFEB14CF68C840BEEBBB2EF48314F1485A9D819A7250DB749986DF91

Function 057AAEB7 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e563a91f8cb0c8748e7cf8366fdf6883723db3c77b6c98f0a117d49d8e61ebe
Instruction ID: fa14d48bb680facbf5cf9ef5a91b2800bd9939223983d8812229bd21c16eaf2a
Opcode Fuzzy Hash: 5e563a91f8cb0c8748e7cf8366fdf6883723db3c77b6c98f0a117d49d8e61ebe
Instruction Fuzzy Hash: 678137B1A00B058FD728DF69D54576ABBF1FF88300F008A2DE48AD7A40E775E859DB91

Function 057A44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 057A59C9

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b4a1095bd03f426891a3db2a8e9d047bbb04d2e03c42dbf33eec425e90ae4178
Instruction ID: cfe7cd61af7ffd2ebe1c8caad93a257e06f29432b23dee0eb5968085ae447aec
Opcode Fuzzy Hash: b4a1095bd03f426891a3db2a8e9d047bbb04d2e03c42dbf33eec425e90ae4178
Instruction Fuzzy Hash: 5A41CEB1D0071DCBDB24CFAAC884B9EBBF5BF89704F20816AD408AB255DB756945CF90

Function 057A590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 057A59C9

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07fca8f42830b3c7b9de4e23bc4a8f9c0831cd21442afcfa356481d4ac26bf7c
Instruction ID: 2af74db554608d54fca9edf823403ac971266631936772256cd643f4f70334c2
Opcode Fuzzy Hash: 07fca8f42830b3c7b9de4e23bc4a8f9c0831cd21442afcfa356481d4ac26bf7c
Instruction Fuzzy Hash: E641CEB5D00719CBDB24CFAAC88478EBBF1BF89704F20816AD808AB255DB756945CF50

Function 07B2F168 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B2F200

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6582b95104d7ffe429171fd5545840c384d2282f78962ab727f9a3d254112c98
Instruction ID: b42d12e7af1c4b80e280db742eec5139d65f9ae5e68969ed15b9b398a00fb878
Opcode Fuzzy Hash: 6582b95104d7ffe429171fd5545840c384d2282f78962ab727f9a3d254112c98
Instruction Fuzzy Hash: EC2148B6900359DFDB10CFAAC8817EEBBF5FF48310F10842AE958A7240C7789545DBA5

Function 07B2F170 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B2F200

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f8e8a3683f5dc9b0c0d2d612567309b978d0f43b94abebd7c54dfb17e8404426
Instruction ID: 46b46da71b88d1e47d52a319a9315a7bff3c8804aeb47b97f33cbfaabf0d7e76
Opcode Fuzzy Hash: f8e8a3683f5dc9b0c0d2d612567309b978d0f43b94abebd7c54dfb17e8404426
Instruction Fuzzy Hash: B8213BB6900359DFDB10CFAAD8857EEBBF5FF48310F14842AE958A7240D7789544CBA0

Function 07B2F258 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B2F2E0

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bf79061baec761f6ca0c0419c156f0e0a3b21dbd5865f1f4150566cb974ee92c
Instruction ID: 86d94bb0ea5052cf9156af23e8eeecb8f012dacc2ada6c9b4b8d3ba613001d70
Opcode Fuzzy Hash: bf79061baec761f6ca0c0419c156f0e0a3b21dbd5865f1f4150566cb974ee92c
Instruction Fuzzy Hash: 862136B5800359DFDB10CFAAC880BEEBBF5FF48310F14842AE958A7240C7799941CBA0

Function 057ABC40 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,057AD776,?,?,?,?,?), ref: 057AD837

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 649ae8b28e2fdb7e361c46d3f91171ca4650061d6bd7171c7d5cbb2c57711053
Instruction ID: 585e254b941fe5e761f6b82ff632ed1af58846cb327ee02f752c009ae609fdf7
Opcode Fuzzy Hash: 649ae8b28e2fdb7e361c46d3f91171ca4650061d6bd7171c7d5cbb2c57711053
Instruction Fuzzy Hash: 7D21E4B5900249EFDB10CF9AD584AEEBBF4FB48310F14842AE918A3350D374A954CFA4

Function 07B2F260 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B2F2E0

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c5b873568aea81500b88ddd0c9a0f7ae6242074f11022d77884bd9c1e72dc26f
Instruction ID: 5b8e0f3b715d76fea2230e5c2965c8ac972785bb2cd79e2cc8fb196500330663
Opcode Fuzzy Hash: c5b873568aea81500b88ddd0c9a0f7ae6242074f11022d77884bd9c1e72dc26f
Instruction Fuzzy Hash: 542116B58003599FDB10CFAAD880BEEBBF5FF48310F14842AE559A7240D7799545CBA0

Function 07B2EBA0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B2EC1E

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1ebb784bf0bee758dab40aaa0392a00b1ea9c82f505ddf27b5d3c8d08d9619d7
Instruction ID: d3709ff0e7befb284fae41ddbd3e70243169c3b07ee5650ebf3a9ad57680e73e
Opcode Fuzzy Hash: 1ebb784bf0bee758dab40aaa0392a00b1ea9c82f505ddf27b5d3c8d08d9619d7
Instruction Fuzzy Hash: 8B2129B1900319CFDB10DFAAC4857EEBBF4EF48214F14842AD559A7240D778A945CFA1

Function 07B2F0A8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B2F11E

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1a8e8e8049e21c8a8557e7b6c79f83ddcd8ae4c788ea8bf869521c475bbd1b76
Instruction ID: c6a89a057499df78d00722b61670af405919f56aef939829015082ad622b2318
Opcode Fuzzy Hash: 1a8e8e8049e21c8a8557e7b6c79f83ddcd8ae4c788ea8bf869521c475bbd1b76
Instruction Fuzzy Hash: FB1144B6900259DFDB10CFAAD844BEEBBF1EF48310F14881AE559A7250C775A944CFA1

Function 07B2EAE8 Relevance: 1.6, APIs: 1, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 07B2EB52

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 39f7fe214a96efc110f3c37e8a8aef6583cdee92f239283d7d1402f2db929968
Instruction ID: f30fdfadef1f8d8bff15bbb1d90130f2d6d38eedf0d7fbc7fea5ff40045e5488
Opcode Fuzzy Hash: 39f7fe214a96efc110f3c37e8a8aef6583cdee92f239283d7d1402f2db929968
Instruction Fuzzy Hash: 271158B1900349CFDB10DFAAD4897EFFBF4EB48220F24842AD519A7340C779A945CB95

Function 07B2F0B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B2F11E

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 30d17f8d7b1b319e782144e1643b73d240959b767615692b9bdecd4840dbe88c
Instruction ID: f6ad71d215c145f9bc4a9299f0657006e263d8089ef42a303f54be876dd3e208
Opcode Fuzzy Hash: 30d17f8d7b1b319e782144e1643b73d240959b767615692b9bdecd4840dbe88c
Instruction Fuzzy Hash: 051156B2900209DFDB10CFAAD844BEEBBF5EF48310F14841AE519A7250C775A540CBA0

Function 07B2EAF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07B2EB52

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13681789397a2e6f711f2b4f040aec29f2df5ac2427934d03d429657092cd679
Instruction ID: ed43be9c2dd81c9f0a66156fc3164c10e5f80114ef91c1eba3fc2deec3dc811b
Opcode Fuzzy Hash: 13681789397a2e6f711f2b4f040aec29f2df5ac2427934d03d429657092cd679
Instruction Fuzzy Hash: 271128B19003498BDB10DFAAD4897DEFBF4EB48210F14841AD519A7240C779A544CB95

Function 057AB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 057AB11E

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3e279d1a04be393ca82e1383cb0ed42194e896b4b309ec28dbfc4236cf7cfc69
Instruction ID: d4753b6dc35498a9bbcf667056a1d6f8d214143898be84412318d787db544383
Opcode Fuzzy Hash: 3e279d1a04be393ca82e1383cb0ed42194e896b4b309ec28dbfc4236cf7cfc69
Instruction Fuzzy Hash: B611EDB6C00649CFDB14CF9AD844BDEFBF4AB88224F10852AD829A7610D379A545CFA1

Function 05DACA31 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e49b7a3133c6c212549cb43f6987433d1deadb7b4b79d3da0e1d518fc6c9f3
Instruction ID: 18a559fee3d329bd0523c95dd23007fa506b43f2a73788647abfa36930cb174a
Opcode Fuzzy Hash: b5e49b7a3133c6c212549cb43f6987433d1deadb7b4b79d3da0e1d518fc6c9f3
Instruction Fuzzy Hash: 20420431D14619CFCF15EFA8C8456EDBBB1BF49300F1182AAD5497B264EB309A98CF81

Function 05DACA40 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e15bf8af91492e17ef8c1c8a46e7332cc3cbd4930aeb8972c4919126472d30a
Instruction ID: 5a5b75025f721fdca51407027dec12ad33b8c588ff525c550b4dae60f1c018bd
Opcode Fuzzy Hash: 7e15bf8af91492e17ef8c1c8a46e7332cc3cbd4930aeb8972c4919126472d30a
Instruction Fuzzy Hash: 3542F431D10619CFCF15EFA8C8456EDBBB1BF49300F1186AAD5497B264EB309A99CF81

Function 05DA9EA4 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d827e220027fccc1d6e0628a615aa0960da97b3524ec31b6b841d98ca3a72b08
Instruction ID: 0a1d25eafada75969e1c3d0b41d478af6795e429959e962a1ba89f1b14e39706
Opcode Fuzzy Hash: d827e220027fccc1d6e0628a615aa0960da97b3524ec31b6b841d98ca3a72b08
Instruction Fuzzy Hash: CCB19A72A05309DFEB21DFA5C8586AEFBB2FF88300F20456BD50AA7241DB319956CF51

Function 05DAC450 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2802df4b87850e20af6e6ef734f383383ea83a5da0be65d47b3311de9ffca99c
Instruction ID: 08ed473a60be5af0d538dfc561b72ac8efdf7847bb2e108ddb89f6a91fff6f65
Opcode Fuzzy Hash: 2802df4b87850e20af6e6ef734f383383ea83a5da0be65d47b3311de9ffca99c
Instruction Fuzzy Hash: 35919032A14209DFCB11DF68D8486AEBBB1FF45310F144566F446AB2B4EB30DD55CB81

Function 05DA81D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6f1bf90667b1eb08978ddd7f173dc9c3697532d120e927733dbeeb621ec64a
Instruction ID: ee4d855d34cfcbf4c012b24f4b66f3dc95e778dc62b45fa2e68fc76eed9e44c7
Opcode Fuzzy Hash: 3c6f1bf90667b1eb08978ddd7f173dc9c3697532d120e927733dbeeb621ec64a
Instruction Fuzzy Hash: 5F818731A10609DFCB04EFA4D8589EDBBB5FF89300F158569E902AB364DB70E945DF90

Function 05DA6BB9 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59fb9f5d6443465be2d22a0c299e16adab918beff1a04326143c5cb682aaca5
Instruction ID: 30d5e7690e3d93c28145c047c7abb99dbe5a27be195ca29b88f6390b8d22d3c8
Opcode Fuzzy Hash: c59fb9f5d6443465be2d22a0c299e16adab918beff1a04326143c5cb682aaca5
Instruction Fuzzy Hash: A0714B76E10219CFDF05DFA8D8849AEBBB2FF88314F14426AD905AB355E730E951CB90

Function 05DA7788 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3208f58019f2e8481351e9f0381b8d0d6b291c06ba8220f0b1478af61b61da
Instruction ID: 5d642ec5c0b81ba35add8a1a2da5a84ef9186b2b507dee4d1b90488d1a601d23
Opcode Fuzzy Hash: cb3208f58019f2e8481351e9f0381b8d0d6b291c06ba8220f0b1478af61b61da
Instruction Fuzzy Hash: FA419031708700CBE71AAB78842872B63EBEFC5140B54486ED95ADB7C4EF28DC46C766

Function 05DAF2A4 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4727187ab641220d807be5b96bc8ddaadbeaedc047d8ee0f4fdfa277753c7f0c
Instruction ID: 9538a07165db8df9b75a8e51241f07767ff81a220190fde793751b06dbf46f2f
Opcode Fuzzy Hash: 4727187ab641220d807be5b96bc8ddaadbeaedc047d8ee0f4fdfa277753c7f0c
Instruction Fuzzy Hash: D9414B79A0220ACFCB00DFA8D5849BEBBF6FF49300F1094AAE845A7354DB359E45CB54

Function 05DAC710 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6959a00a4c7690078282476ad6942110b4bca1b8413b9a6344f3c1622570f93
Instruction ID: 899358748a3c4bf5238b7c86e7085c4e1b9cfc360b764694958fe219ccf611e5
Opcode Fuzzy Hash: d6959a00a4c7690078282476ad6942110b4bca1b8413b9a6344f3c1622570f93
Instruction Fuzzy Hash: 00419472E2821ADFDB02EB74CD586EB7BB2BB45220F104567E482A7275E734CD11CB91

Function 05DAADF1 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7598fad62d93939247906f1db786beb23eba7ab835039826ad78a2e7009af314
Instruction ID: dded99c8caa3e7e7bd5d9eb0e19439a1cf4821782069e66b8029f05b8d23746e
Opcode Fuzzy Hash: 7598fad62d93939247906f1db786beb23eba7ab835039826ad78a2e7009af314
Instruction Fuzzy Hash: 2D411F32B012059FDB14DF68D854A9DBBF6EF89310F14826AE441BB3A1EB71DD41CB50

Function 05DABA80 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53795fa45bc256a95e0cb3aec61a879bd46b7cb860f8f57112925ed7c228b0ff
Instruction ID: 33f04e2b1783a2af6a4c46d5d9821be3f04c8a0ae090195c67eec38425c8dec6
Opcode Fuzzy Hash: 53795fa45bc256a95e0cb3aec61a879bd46b7cb860f8f57112925ed7c228b0ff
Instruction Fuzzy Hash: 4B417172F2411ADBDB02EB74CD586AB7BF2BB45360F504427F442A62A4EB74CD118A91

Function 05DA9E54 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe293c22b2e564952c7bd225fca0b09279a9e963278ffc4e24fce8cc507b6f35
Instruction ID: 893f68f42a0b0606eac06a14233cf8dd91c92758ecdabd3795a8a30cbaf8a307
Opcode Fuzzy Hash: fe293c22b2e564952c7bd225fca0b09279a9e963278ffc4e24fce8cc507b6f35
Instruction Fuzzy Hash: 8B411C31B012059FDB14DFA8D854AAEB7F6EF89310F14866AE401AB3A1EB71DD41CB50

Function 05DAB1E1 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cabc7b5c9d0a0e7348421f09e251249843c952bfddfb91a8c2f2246cb52b045
Instruction ID: e3d855fe92c1d94fc7e9c0252a45d4378c05f4dd6a4d186286679b3de9da86af
Opcode Fuzzy Hash: 8cabc7b5c9d0a0e7348421f09e251249843c952bfddfb91a8c2f2246cb52b045
Instruction Fuzzy Hash: 36413372A05218DBEB119FA5D9989AEFFB2FF48300F21815AD4017B256CB3199A1CF80

Function 05DA7E9A Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc99033f008ae6e86f4f9ab9df862a8a9b080bdeb388fa1fb71a31b844960308
Instruction ID: 3028d0c98cc269a2aab4f0d8ecd381ec8a9764330d4d60c315f8a1a372934f8d
Opcode Fuzzy Hash: cc99033f008ae6e86f4f9ab9df862a8a9b080bdeb388fa1fb71a31b844960308
Instruction Fuzzy Hash: 8C414431A10609DFCF04EF68D9549DDBBB1FF49311F10861AE84177150EB30A799DB91

Function 05DA65A8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634c31a25433299abe83d980a75bfc62143b79c3992b1af4879a0bc8798fbc8d
Instruction ID: e616cff0d6f35ca3efe31f1c72a1edfdc740308f2dea88fe51e08cf5ce14b54b
Opcode Fuzzy Hash: 634c31a25433299abe83d980a75bfc62143b79c3992b1af4879a0bc8798fbc8d
Instruction Fuzzy Hash: 1F312873B142408FDB118B74C8959BE7FE6EFC1210B1C81AAE546C72A5C734E941CB62

Function 05DA7760 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d877baa1350ab4bd04d7a59d87607114cc5be46bde39e04c01f4f3b7ea12df5b
Instruction ID: eec1be594cc33669e7dc591f717b99265d6c90d064a8c0031cd0d43d0b33c729
Opcode Fuzzy Hash: d877baa1350ab4bd04d7a59d87607114cc5be46bde39e04c01f4f3b7ea12df5b
Instruction Fuzzy Hash: A621A1327093408BD326AB71985497777B7EFC610474948AFCA52CB692EB34EC0AC762

Function 05DABA90 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c024336b272feea523dc75b94f7cefaef699f1797892f5688b0eb50f30c700
Instruction ID: edbb165dc68f43e890770991b2deec05860631b08d924b3bb5725cd244283d4c
Opcode Fuzzy Hash: 68c024336b272feea523dc75b94f7cefaef699f1797892f5688b0eb50f30c700
Instruction Fuzzy Hash: 872171767102448FCB10EF79D844A6AB7F6FF89601B5441AAE505DB721EB70DC04CB51

Function 05DA9E84 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5006cb8cd996b076014c60abe65f9bd2a1bd8d5c68aa3103842b129985d8e797
Instruction ID: d8b040a4f3d1ab50fb5e9e21d0e36b121b02c98d077ee3513eab80481fcfaa4a
Opcode Fuzzy Hash: 5006cb8cd996b076014c60abe65f9bd2a1bd8d5c68aa3103842b129985d8e797
Instruction Fuzzy Hash: 6C21D332F06616DBEB11BF68C8881AFBB72FF41200F50496BC086A7244FB31D9568BD1

Function 05DADCC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f1e3f9becba96f55fc8e5af3e0d0f3a0332235c71fd600ed81d7208eceee7f
Instruction ID: ad6c150438f576904de9f730be8d778038b0c125aad31e74689185a4b6ff2bf9
Opcode Fuzzy Hash: 86f1e3f9becba96f55fc8e5af3e0d0f3a0332235c71fd600ed81d7208eceee7f
Instruction Fuzzy Hash: B231DD767102448FCB00EF79D848AAABBF6FF46601B1441ABE505DB771EB30D900CBA1

Function 05DA65E0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d695bfdfc3e7d5e9bf6a9122a3eebdf142bd65591b134da86e6fef5d4c71d3
Instruction ID: 5b43aa07f544bad1f371f424902060e0183ea1eac952bbb70dd31aef4054563a
Opcode Fuzzy Hash: f1d695bfdfc3e7d5e9bf6a9122a3eebdf142bd65591b134da86e6fef5d4c71d3
Instruction Fuzzy Hash: CF21D437B106108FEB248A65C89197F7BEAFBC4215F2C816AE54793754DB34E980CB61

Function 05DAF64A Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ac842b84e590b2b6d2d3d88033efe69eec32133c2b3786e90096f9b6826e15
Instruction ID: 3eb272577ae1ed709ffe864c04d6ff1d5e9806182dd55f7d63a7c064ab2af9ce
Opcode Fuzzy Hash: 99ac842b84e590b2b6d2d3d88033efe69eec32133c2b3786e90096f9b6826e15
Instruction Fuzzy Hash: EC216D7990520ADFCB01DFA0D8459EEBBB6FB86311F1080A6D409A3760DB355E41CFA5

Function 05DAE970 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30785d6f1d1d0ab72db265aef6ea2b15b9f69e4b8f8f4be6ae2d4fabe795365d
Instruction ID: a9e4c72f270fa22f1438b27d766341b67b1e7dc184eb6e27a7526caf6b9cddec
Opcode Fuzzy Hash: 30785d6f1d1d0ab72db265aef6ea2b15b9f69e4b8f8f4be6ae2d4fabe795365d
Instruction Fuzzy Hash: 1D213036F10619CFCF51EBA9C4446AEB7F5FF88310F04466AE419E7250EB709945CB91

Function 0170D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344178957.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2b3677c5349d6e36659dcd223c4407a95dfcb94042b09bed309d41a805748b
Instruction ID: bbba1f2a60f2d92dd076f1cafe1914db4eeda819085b6cf6fe893b5edc5e2f13
Opcode Fuzzy Hash: af2b3677c5349d6e36659dcd223c4407a95dfcb94042b09bed309d41a805748b
Instruction Fuzzy Hash: 922106B1500344DFDB26DFD4D9C0B66FBA5FB84324F24C1A9ED094B296C336E456CAA2

Function 0192D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344334465.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7529d148f1d092064fd681aff891703877a264e4c05ae038333b521e795faf
Instruction ID: 0a7b894f433477bbc5280b7c970703c301867af855937538c905b3e366adc725
Opcode Fuzzy Hash: 2b7529d148f1d092064fd681aff891703877a264e4c05ae038333b521e795faf
Instruction Fuzzy Hash: F721D3715042449FEB05DF94D5C0F25BBA5FB85324F24C96DD80D4B29AC736D446CAA1

Function 0192D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344334465.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2caed0dc8c15310385bc42b0f6c73990248979ae4c5f3ca46d4e2e2cf33161
Instruction ID: 564db0d6311b303d83997e2b9e249e18b26d73d96ad1aea354c131b861d07ea5
Opcode Fuzzy Hash: bf2caed0dc8c15310385bc42b0f6c73990248979ae4c5f3ca46d4e2e2cf33161
Instruction Fuzzy Hash: A8210071644340DFDB15DF94D8C0B26BBA5EB84214F24C969D80E4B2AAC33AD807CAA2

Function 05DAE388 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54922d88d3f01e1914939ae2d6756f80d82bffabfb7e7637655f2c800e025242
Instruction ID: e1f656641a67bbf6bce2ec20072ff3ba08733758ac18e7048397fe5682fba433
Opcode Fuzzy Hash: 54922d88d3f01e1914939ae2d6756f80d82bffabfb7e7637655f2c800e025242
Instruction Fuzzy Hash: B8210175B1020A8FCF04DF69C8848AFB7B9FF89300B118569E905A7315EB74E945CBA1

Function 05DAE378 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3de6afde6ebf83b62e2a3964a04fd17ceb80df9c7e92bde22e9e6f80836f0c
Instruction ID: d01477c02f09c4272a327233ffcc3d14a91b0b36154d22c398c987a5d08c0c0e
Opcode Fuzzy Hash: 1f3de6afde6ebf83b62e2a3964a04fd17ceb80df9c7e92bde22e9e6f80836f0c
Instruction Fuzzy Hash: 76213076B142058FCF04DF79C8848AEBBB9FF89300714856AE906E7255EB34E945CBA1

Function 05DADDD2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d800f31c7f24b1076ef5988ddc904d6cb0a81f1c5b7403adfc30ddde28e4c5d
Instruction ID: c50d31cfbc879a0972a60874ddad316d14836384aa16e35230940708895e2393
Opcode Fuzzy Hash: 7d800f31c7f24b1076ef5988ddc904d6cb0a81f1c5b7403adfc30ddde28e4c5d
Instruction Fuzzy Hash: 20219232910708CBCB11FFA4C9586EEB7B2FF49300F00862ED44677654EB34A944DB91

Function 05DAF698 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ff6affd64a8cb5c9cffa6ff8cefa0db7dfd3eeb9e5d6a424b1f855e570eac4
Instruction ID: 50f6d7b981aacfba7fd318a571d9b24943b7775d35561a457c14f51469c4d71c
Opcode Fuzzy Hash: d2ff6affd64a8cb5c9cffa6ff8cefa0db7dfd3eeb9e5d6a424b1f855e570eac4
Instruction Fuzzy Hash: 34215BB9D0520A8FCB01DFB4D8496AFBFB2EF8A311F1441AAD405B3351E7754A41CBA5

Function 05DA9E74 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306ffa7c2e8a8307638c6bb1f6331f51431681f8c41d6b5d0bfed75af5a48aec
Instruction ID: 25a63aafcca280eb72e1782b90bfbb9f000c3bca0e80ecb43957bd01e5498f52
Opcode Fuzzy Hash: 306ffa7c2e8a8307638c6bb1f6331f51431681f8c41d6b5d0bfed75af5a48aec
Instruction Fuzzy Hash: EB11B272F0510AEBDB116AA5D9441EF7FB1EB82301F604CA7C099B2184E631C9658B99

Function 05DAFA81 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a259d4a8f346bd1a79d85341f6cf671fb61ae2e57b3e31f2812ab42340b530
Instruction ID: d6f50e62a52ab6dd2fbfa4951ca06fecce3e1365a5d53e06b443ef072151c780
Opcode Fuzzy Hash: 90a259d4a8f346bd1a79d85341f6cf671fb61ae2e57b3e31f2812ab42340b530
Instruction Fuzzy Hash: 121122BA80D38A8FCB42CBB0D8506EEBFB5AF46210F0840D7D899DB253D2348941DB91

Function 0192D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344334465.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970d0b5c9ff8b0ad209b30bfd99ed6cedcc99fe8a90520ccb0aee250c5cc134f
Instruction ID: 702c595632a65193bf493ddb62c2b175232e2a12c1a9d87647f3954a86fd98d6
Opcode Fuzzy Hash: 970d0b5c9ff8b0ad209b30bfd99ed6cedcc99fe8a90520ccb0aee250c5cc134f
Instruction Fuzzy Hash: 8821A1755493808FCB13CF64D990715BFB1EB46214F28C5EAD8498F6A7C33AD80ACB62

Function 05DAAF79 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd7fa2149af7ace954c2e8564112e3f20c98bf03df0c9b7e37e405663ff9593
Instruction ID: 9378dd5bd760e2b35ce7262790d824f68f1bc703e58a3483627998f74c8b75b1
Opcode Fuzzy Hash: ffd7fa2149af7ace954c2e8564112e3f20c98bf03df0c9b7e37e405663ff9593
Instruction Fuzzy Hash: 7B0171323096504FC31AAB2E985889EBBAAEFCA65035901EBE405CF373C965CC01C7A1

Function 05DA6B29 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f6a239bb2b2168cd811f1488e626e10360398ec710c2cae7f9c5bb107c1db2
Instruction ID: d40d72a0849bc85255d207981d54facb6e2c60a0f3ecc867d1faa8252795e8b1
Opcode Fuzzy Hash: a4f6a239bb2b2168cd811f1488e626e10360398ec710c2cae7f9c5bb107c1db2
Instruction Fuzzy Hash: C211C9B5E0021A8FCB45CFADD8449EEBFF1FF88210B10816AE918E7315E7309911CBA1

Function 0170D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344178957.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: ee4a47888395ce5745855c8cd36101c3c1d4d2c509a8fda4689f5017d8c48374
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: CB11CD72404340CFCB12CF84D5C0B56FFA2FB84224F2482A9EC090A696C33AE456CBA1

Function 05DAF6A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3252e215a424d744eed7160413d557e46c115de3568b47899bed44cafb5755f3
Instruction ID: 0ca4f411f5884c2eb30c3628bfed00e1dbf94e2ca15339b5adfac45f1980af4c
Opcode Fuzzy Hash: 3252e215a424d744eed7160413d557e46c115de3568b47899bed44cafb5755f3
Instruction Fuzzy Hash: 2411FBBDD0420ADFCB04DFA4D5456AEBBB2FB8A301F20916AC40AB3350EB755A41CF95

Function 05DAFAE0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a17cd6e104a66baed150d1efd15fa3e2f3d2e295d8348f19e7d7d1e41132a5
Instruction ID: f387989de5d2e6280ba01f15a2f621d2fbe065cc741cba990f07d5cc7199d9f0
Opcode Fuzzy Hash: b0a17cd6e104a66baed150d1efd15fa3e2f3d2e295d8348f19e7d7d1e41132a5
Instruction Fuzzy Hash: 781128B8D0824ACFCB00DFB9C8556AEBFF6AF49201F1481AAC859E3311D7358A41CF91

Function 05DAB047 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcac11422e74ed7dca41d956ded83a25c2080db04deb617543293bd4e3ee4ef6
Instruction ID: e001a14566995e5eac6bb2ec19a247eb8bbf243183c8f07f7538a716058a26e0
Opcode Fuzzy Hash: fcac11422e74ed7dca41d956ded83a25c2080db04deb617543293bd4e3ee4ef6
Instruction Fuzzy Hash: C4012473F092096FE7126A65DC141EA7FA1DB83280B140967C0A9EB281E130CA4A4BD8

Function 0192D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344334465.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 0c3568436eefc86f709c5103e5bfb7d21a068a95e2654fc2e707b42f7628359c
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 7611BB75504280DFDB02CF54C5C0B15BBA1FB85224F28C6AAD8494B69AC33AD44ACBA1

Function 05DA6B38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514eb931da06a291d9e81785ce054efecedc54f136610e2bb0106d8ec316691b
Instruction ID: 2c6c362c9173838d14987fdfd5c064c35acfcedf974d45600b11e3eddc41efbd
Opcode Fuzzy Hash: 514eb931da06a291d9e81785ce054efecedc54f136610e2bb0106d8ec316691b
Instruction Fuzzy Hash: 62119BB5E0051A9F8B44DFADC9449AEFBF5FF8C310B10816AE919E7315E7309911CBA1

Function 05DAF336 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68795d908fba6990be762c9d1e8c3097dde64dec3ff7281c2cd50464a65353f
Instruction ID: 9c8d81e4cf1582aa90e929814286cade941cfccf39e299dc645d394f33d74eab
Opcode Fuzzy Hash: f68795d908fba6990be762c9d1e8c3097dde64dec3ff7281c2cd50464a65353f
Instruction Fuzzy Hash: 6411D0A644E7C49FD31397B09C242D9BFB89F07215F0A45DBD486CF0A3DA294E49C762

Function 05DAC9B0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12976759aa13a68e3a009e938ca4c602d0088da45795634d01d3c3e21faa8233
Instruction ID: 3d19cb956912d9a8486f4b633eaf315416f4bd002b0acf8ad4e8fa924f0092f7
Opcode Fuzzy Hash: 12976759aa13a68e3a009e938ca4c602d0088da45795634d01d3c3e21faa8233
Instruction Fuzzy Hash: D1012233A1024A9FCB01DA64DC444DABF35FF86354B118A2AF40067161EB70A589CB90

Function 05DAC8A7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e209a7ef1bda4eb1eb4f01f6e04be4fc7dcd6d1e8a0f27630a2471ce9b77b51f
Instruction ID: 9e18f35d0bdea98dccfdee36265f843b11243828a5e1e4f8b70386d9d350acb3
Opcode Fuzzy Hash: e209a7ef1bda4eb1eb4f01f6e04be4fc7dcd6d1e8a0f27630a2471ce9b77b51f
Instruction Fuzzy Hash: F811C272D1120ACFD701DF68E8013EEBFB1EF48314F10816AD911A7391DB788945CB80

Function 05DAFAF0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5ba73e6a39e246dd6b74d896f65a87c39eed3bde92c1823f66ed0ed9bc8d92
Instruction ID: 8b17b2f3bea4f973cf436c2ce9d2dc7785a14fc11b16f31ed1e7c9450ad9c49a
Opcode Fuzzy Hash: 0a5ba73e6a39e246dd6b74d896f65a87c39eed3bde92c1823f66ed0ed9bc8d92
Instruction Fuzzy Hash: F111B7B9D0420EDFCB44DFA9D8556AEBBF6BB49301F1491AAC829A3340E7345A41CF91

Function 05DA9E64 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213a611a8d98b474b5fe84b0ee1673b9fca3444f4addd3dc627076ffd0d1108f
Instruction ID: 33ffe2fc1b06dca2c6285156c1a4e5639b03aadd6d096f2b2121f6eafcaf80c4
Opcode Fuzzy Hash: 213a611a8d98b474b5fe84b0ee1673b9fca3444f4addd3dc627076ffd0d1108f
Instruction Fuzzy Hash: 04F0F9323116108F8759AB6EC89882EB7EEFFCAB1135545AAF506CB371DE71DC018B94

Function 05DAC8B8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1b49dccbe43593b9284ea34eaa5a74877cf5f8980a737bd875f0a97ded23da
Instruction ID: df37c8d7f1f82c598dcbf45aa6d96e325075216defeef3818fb3451e1f0f86d0
Opcode Fuzzy Hash: 9c1b49dccbe43593b9284ea34eaa5a74877cf5f8980a737bd875f0a97ded23da
Instruction Fuzzy Hash: 21018C31E1020ACFDB04DF68D8017AFBBB1EF48314F00812AD915E7390EB789905CB91

Function 05DABEA9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bb465681deb536da8e456dcc95055e160e49750a051c19613eeff31226f3f5
Instruction ID: d931b0ec742ad1b5f6ee06f58314e1c06e5a91d8bc650c2b32d3c391d33084a4
Opcode Fuzzy Hash: c7bb465681deb536da8e456dcc95055e160e49750a051c19613eeff31226f3f5
Instruction Fuzzy Hash: 74F02233A01219DBD704BB6484142EFBAA7DF84750F64495BC1026B381CEB65E068BE1

Function 05DA7E19 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0d0a2f60368cb41a1411c3e7ca989c0d0dc079d69e83e7405c31b230a06c39
Instruction ID: 43acdfffd63c622bfeb8aaf68c0397bd6cebad61f8af3ba9f0077e9b5c4bf471
Opcode Fuzzy Hash: 3e0d0a2f60368cb41a1411c3e7ca989c0d0dc079d69e83e7405c31b230a06c39
Instruction Fuzzy Hash: FF016932551609CEC745EF38E9454E97FB0EF1A251B10C2ABE8489B123EB30DA98CB80

Function 05DA6AC1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc7acfc5890859187059ae9106eb68142351d759610c925883a104517c4bfaa
Instruction ID: a1e7708087b3525e1827cc3645e79c366d7a030a7f2e16fe28c691ad2da1d109
Opcode Fuzzy Hash: 6bc7acfc5890859187059ae9106eb68142351d759610c925883a104517c4bfaa
Instruction Fuzzy Hash: 7EF0C832A146548FCB11DB69D8888DEFFB8EFCA21071442AFE54497322D6709D05CBA2

Function 05DA9F34 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c78979bf9c21854af8285dac4e60ef8784543c04972b55768e9661e4cecd91
Instruction ID: 09bafa5be5d217435584cd4740a836120656975fa9390620a74a92c6095d67d9
Opcode Fuzzy Hash: 05c78979bf9c21854af8285dac4e60ef8784543c04972b55768e9661e4cecd91
Instruction Fuzzy Hash: 9AF0F632B0020997E704AB68C0582AFBAA7DFC4700F54489BC502A7381CEB65D098BE6

Function 05DAE487 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091ba9cdfb973ce555c8f2b8a514fb00a44a5690e80bb12e6078d7059c6dab32
Instruction ID: 0bc2949f43fda0a6a65ac1a7d7d02f8a2d8d20b13d3b073d2ac2d8b8ba76538b
Opcode Fuzzy Hash: 091ba9cdfb973ce555c8f2b8a514fb00a44a5690e80bb12e6078d7059c6dab32
Instruction Fuzzy Hash: D6F0DA357105108FC684DB68D498A7973EEEFC9611B1980BAE50EDB3A5DE70DC0297A0

Function 05DAF9E1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b65be64c7f90886fe748fc52355d8fd14f2bd9137b04d4727d492c69f9e813
Instruction ID: 4785385b2879bf5332d1018b4aa92a019881c518dd8694d5852047edfa5dff0c
Opcode Fuzzy Hash: e1b65be64c7f90886fe748fc52355d8fd14f2bd9137b04d4727d492c69f9e813
Instruction Fuzzy Hash: FF016975D04246CFCB14CFB9C445AAFBFF1AF08210F2586DAD454EB256E7318544CB80

Function 05DAB658 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb71e9d114b9b8bf09524587814a11be7e844d18604f46902e8ddaa1f9b287d7
Instruction ID: 438c61d251ffbb380b73847bdea0d21703e654053f74394e01a65c342759f9f5
Opcode Fuzzy Hash: bb71e9d114b9b8bf09524587814a11be7e844d18604f46902e8ddaa1f9b287d7
Instruction Fuzzy Hash: DCE02B326063549FC3169B24D4418E67FB9EF4221030480EBD0458F662C63AEC84CB91

Function 05DA9F14 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990a608c6284eb96a38a1787b3c66d765843b150ee3ed44d92e92f910f48129b
Instruction ID: 0398eb0d007c0bb0639a0fc7336c5e32f872c10b7d2d8e5685abdfc88391a221
Opcode Fuzzy Hash: 990a608c6284eb96a38a1787b3c66d765843b150ee3ed44d92e92f910f48129b
Instruction Fuzzy Hash: C2F0E53130A341DFD31A9B38C4648277BE5EF86301708C8AFD09A8F661CA35EC81CB56

Function 05DAF9F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9e27e599e63d4243625ae0675e4c3e45f97a6e60673f5471893e7ba387d5c8
Instruction ID: aa92494a37046a1eb1fade59380a00a84984d6268f190401801973053dbe99a4
Opcode Fuzzy Hash: ad9e27e599e63d4243625ae0675e4c3e45f97a6e60673f5471893e7ba387d5c8
Instruction Fuzzy Hash: 02F0DAB5D0420ADFDB54DFA9C841AAFBBF5FB48300F1045AAD918E7204E77496048B90

Function 05DAF98C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8277a9b13af199379e93102ab5c84a6faec155cf07c4b8d17be74911e6c3b57a
Instruction ID: 6f87b050518e65228f311f74663a6e674f80c02b0229aa527717a3b781f7e21f
Opcode Fuzzy Hash: 8277a9b13af199379e93102ab5c84a6faec155cf07c4b8d17be74911e6c3b57a
Instruction Fuzzy Hash: 24F05E75C04206EFC740DF79C54464FBFF1AB04614F6585EAD050E72A2F77195068B81

Function 05DA7E50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4964ea5345e1040971703dc65b0b760bee1fa0ac77435eefed88bc1ca43eed
Instruction ID: c5c2b3c7c69422fd3bbdbce909253f23d05d036b77225e968f1d98ce9a66b4b3
Opcode Fuzzy Hash: dd4964ea5345e1040971703dc65b0b760bee1fa0ac77435eefed88bc1ca43eed
Instruction Fuzzy Hash: D1E06D32455259CEC745AF3499040DD7FB0BE16211B10C6ABE8488A413E6308698CBC1

Function 05DAB608 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb440b094a866a52266a8b0f45065b9f02e3af0c16e0faa77df3152a85b80901
Instruction ID: 7489af7816a4720be8ecc777a181b271a0e4a8f04f29fb7af587b71056cfc56e
Opcode Fuzzy Hash: fb440b094a866a52266a8b0f45065b9f02e3af0c16e0faa77df3152a85b80901
Instruction Fuzzy Hash: E7E0D83560A3909FD302D774B8507FB7BB2CB8A661F045156C0009B682CA284C4A8BE1

Function 05DAADB1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e10762000d74297f201c1f6e75e994a6ff29fe912d90af080740012d74268e
Instruction ID: 84887654963cdba495df79a41deaed7d08f55405f77181734aa67f4b2df0b5b1
Opcode Fuzzy Hash: 34e10762000d74297f201c1f6e75e994a6ff29fe912d90af080740012d74268e
Instruction Fuzzy Hash: 99E04F2358E2E04EE7228624AC517CA7BA1EF86116F1A89DBD0C4DB19BD41E9A49C361

Function 05DA9B0F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe35a9e8c01483aad2e3a475e79f7759c73602557f2550c6c560cd2bc03e04cc
Instruction ID: 0ac6984cf018633407f9e7af0f25d169e6e6023153b26cc8f40daa9e9ebb261c
Opcode Fuzzy Hash: fe35a9e8c01483aad2e3a475e79f7759c73602557f2550c6c560cd2bc03e04cc
Instruction Fuzzy Hash: 91E0262371D2A00BC307836824542EA6F96CBC5071B188AABE4CAC71938869480783D0

Function 05DAF8F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31516b6ab8d3acf145baa6e0f577ca8adf9cc8a061504aaeb9307fbe2ec7ab3
Instruction ID: da4fcf18376ae59a825f98f74e76fea5ac99d750f351d9411f3cf6bfe3b27dbe
Opcode Fuzzy Hash: d31516b6ab8d3acf145baa6e0f577ca8adf9cc8a061504aaeb9307fbe2ec7ab3
Instruction Fuzzy Hash: 6FE0D87180A3C8AFCB03DB74D44466C7FB05B43105F2441EED4841A262E2B94E50D752

Function 05DA9E44 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec95892294d7c89f37fbfc9fe38a3d36ebd5fdb23ac4eed697d24ae6d4eb1f1
Instruction ID: bc399115768db21f688b22b5dcef7fe94cdc4edac71b1e156d87ccb65277c89b
Opcode Fuzzy Hash: 8ec95892294d7c89f37fbfc9fe38a3d36ebd5fdb23ac4eed697d24ae6d4eb1f1
Instruction Fuzzy Hash: B1D05E3768512046EA60DA24ACD1BDE3392FBC9312F698E5BE086DB244C42ADA86C251

Function 05DAF378 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193304c00f62478b08eee90e00a5b98941738c7c4f9d48b4e34ce5febecc7bd7
Instruction ID: dcb133050e2cd6ada0d26329b127ce7a7278610a0d4fccedcb4ccd836966526a
Opcode Fuzzy Hash: 193304c00f62478b08eee90e00a5b98941738c7c4f9d48b4e34ce5febecc7bd7
Instruction Fuzzy Hash: FFE08C72505208EFC740DBE488046AE77ACEB0E200F0089E6E40A97150EA309A00DB91

Function 05DAF998 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d103371cf4f0608ce4b90cabf116490e19a2712e3337c3481f0d7e6cbf09ff
Instruction ID: 072091166e78cc0d764d5b3edc100236e2db997662d7597277001fc0c4b6697f
Opcode Fuzzy Hash: b4d103371cf4f0608ce4b90cabf116490e19a2712e3337c3481f0d7e6cbf09ff
Instruction Fuzzy Hash: 76E0B6B5D4020AEFD780EFBAC905A5FBBF1BF08600F2185AAD019E7211E77496058F91

Function 05DA9B50 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dfbc8274855069bebf73aca191907cafb08deac49cbc87ce7a53a45909a323
Instruction ID: 47bd54ad3c2435f45d9420d2661e6401e8f7ccd4b2ad46b9a70ccb8bb8ac4d64
Opcode Fuzzy Hash: 99dfbc8274855069bebf73aca191907cafb08deac49cbc87ce7a53a45909a323
Instruction Fuzzy Hash: 3CD0A95328A6E50BD603A3A028280DE2F50CA828A03A806CBC0098B083C8084A09C3D7

Function 05DA9B20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47126b5ff1935ef2ce247fc7751353d6254146a700e8adb8d7eb7c9e01fd2ca
Instruction ID: 3079ab3afdb035e26d76ffae5e5352f169953aaf67b7ec386daafdf233bf5314
Opcode Fuzzy Hash: d47126b5ff1935ef2ce247fc7751353d6254146a700e8adb8d7eb7c9e01fd2ca
Instruction Fuzzy Hash: D9D0A73271825413C318936EA4886B7BBDF8BC9631F58C46EE40DC32408D769C4387A0

Function 05DA7DA8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e19c9cf2804730b1b1bd27eea9dabbe475b7d55a68570de34e404c178f1af69
Instruction ID: 4b9ebf7f4dce20b234ff7f0a6783103cd0c1b8ae83113bddc19a3127d3b264c9
Opcode Fuzzy Hash: 3e19c9cf2804730b1b1bd27eea9dabbe475b7d55a68570de34e404c178f1af69
Instruction Fuzzy Hash: 8BC01223704838838D1E32E8542817F6189CB81824B08106BD10A4B3C0DE485D1352EA

Function 05DA7E60 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8fc1d04e7807daabf77b55852d889137cde1ddf02144a18abc23bd3fe3d367
Instruction ID: a54a82a838ca09fb4d3184d01806fd40168752b20338dfbf17a467f6fa727134
Opcode Fuzzy Hash: 5e8fc1d04e7807daabf77b55852d889137cde1ddf02144a18abc23bd3fe3d367
Instruction Fuzzy Hash: CCE0E23282060CDECB84EF78D5094AE7FE8FB05211F50C52AF80D9A111EB30D6A8CF80

Function 05DA7DA5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feaeac263cbcaece9b00897574ef6bfdcc14d2d30aabce8211e7ecc94173ff2f
Instruction ID: 26162389e8f90eda6db0c89bc60fd892faa2937956d0b51bc706bea49cf4e66e
Opcode Fuzzy Hash: feaeac263cbcaece9b00897574ef6bfdcc14d2d30aabce8211e7ecc94173ff2f
Instruction Fuzzy Hash: 1AD01233701875C68E1E73E8546C17F5245CF8491470850ABD10A4F7C0DE485A1393E9

Function 05DA09E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3122ebbd882e37fa453493090c2d052886a1cb6c8288c1ce029e271697497e05
Instruction ID: 0ceef41fa63cb3572495d87b512c5f38cf01e31d816a8513a6dc551ab22337f3
Opcode Fuzzy Hash: 3122ebbd882e37fa453493090c2d052886a1cb6c8288c1ce029e271697497e05
Instruction Fuzzy Hash: 20D0A732150705CFC700EF2CD88587577F4FF49705B400595F1059B221EB21FD148A42

Function 05DAFA90 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425f819a3cee0485ee325f4cc3810c6e660cd34a31f8a9fe053857b86159e61c
Instruction ID: 74ade27382e802bb19de7c895b92d6d515764eaa4ecc137e5633b7e8b15a15f5
Opcode Fuzzy Hash: 425f819a3cee0485ee325f4cc3810c6e660cd34a31f8a9fe053857b86159e61c
Instruction Fuzzy Hash: 92D012772101089E5B41EF95E800C537BEDBB54600740C462F548C7020F621E478E752

Function 05DA657E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbcc34a7ed4d2638b2521e59ad8b5c488c297f7676bb4afea9a4612e9e0985a
Instruction ID: bea1ac8435f58e39297b0b06f958470f71163bf3a3555ae0a64580f88a4c3154
Opcode Fuzzy Hash: 8bbcc34a7ed4d2638b2521e59ad8b5c488c297f7676bb4afea9a4612e9e0985a
Instruction Fuzzy Hash: 9ED0A96601A7C40DC3033A34282828A7F30DA83024749838BC4E09A1E2EA08068883A2

Function 05DA9B60 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02baccf41796b0906c07be3dd9883da7656754ee633296597fd2609f3c622eb
Instruction ID: 9151059126a82bce4428b0f0a1a6b4da9efb3b0646364e1f76ebe547221296bf
Opcode Fuzzy Hash: b02baccf41796b0906c07be3dd9883da7656754ee633296597fd2609f3c622eb
Instruction Fuzzy Hash: B9B01223704638130809739D341C8AE738DCEC6871758016BE90E97384CE89BD0143EE

Function 05DA65B8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363765967.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Non-executed Functions

Function 07B2C7E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99aec2bc331db61b4683b9bc0a2aaafb3ba661592e0f5d42be0f763801462744
Instruction ID: e81aec18262eb1dbd94cf4e9eb9940fbec3d7404b606dde3b28c6dd65747413d
Opcode Fuzzy Hash: 99aec2bc331db61b4683b9bc0a2aaafb3ba661592e0f5d42be0f763801462744
Instruction Fuzzy Hash: 4EE1EBB4E002198FDB14CFA9C584AAEFBB6FF49305F2485A9D418AB355D7309D42DFA0

Function 07B2C3B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea81f84a699a1189281458c6233a0fe1bb88ae1a60c7494f399d4521bdb83af1
Instruction ID: 161fa236d4adf64d5a3ca2aeedc20dd106a942ce366a359500bf0cbbc58c3372
Opcode Fuzzy Hash: ea81f84a699a1189281458c6233a0fe1bb88ae1a60c7494f399d4521bdb83af1
Instruction Fuzzy Hash: D4E1E9B4E002198FDB14DFA8C5809AEFBB6FF49305F2481A9D818A7355D730AD42DF65

Function 07B2CC20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45620dc485c97b24a5f389104a224acabee4e842a4e6fa0be00f8e9eb5a57c73
Instruction ID: 32333e74e1bebf34cd98e3919eabad73808dc72c6f3fe921d9e818bc6af3f5e8
Opcode Fuzzy Hash: 45620dc485c97b24a5f389104a224acabee4e842a4e6fa0be00f8e9eb5a57c73
Instruction Fuzzy Hash: 24E1FAB4E002198FDB14DFA8C5809AEFBB6FF89305F2481A9D818A7355D731AD42DF60

Function 07B2EC78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b1adc54d2f502dca296e47773875ed63d27671ea7db2106edc0e821dc5785f
Instruction ID: 13cac6528adf4b3e2dfe3b3fb3c239757f954c921d33ee927b32e03088fd10fe
Opcode Fuzzy Hash: f1b1adc54d2f502dca296e47773875ed63d27671ea7db2106edc0e821dc5785f
Instruction Fuzzy Hash: B7E1FAB4E002198FDB14DFA9C584AAEFBB6FF89305F2481A9D418AB355D7319D42CF60

Function 07B23878 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88227da9746138e20d3d0719dee7e7607e4223b0e71f1c3f727d3dfdef07c520
Instruction ID: f639c018f67d12e964fa97a61ed5fbcacab25eec950eadf40975877659c9c943
Opcode Fuzzy Hash: 88227da9746138e20d3d0719dee7e7607e4223b0e71f1c3f727d3dfdef07c520
Instruction Fuzzy Hash: EBD1197181075ACACB01EB64D9546D9F7B2FF99300F50DB9AD00A3B621EB706EC5CB91

Function 057AD524 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358243674.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f5ab2473bcd4209aa3b06da1df368e9c1ae1df300a51227ce08e9943c597cc
Instruction ID: c9f85af49674b56135e254dc90fe078064658a2e77c195713d344bc614c07a40
Opcode Fuzzy Hash: f5f5ab2473bcd4209aa3b06da1df368e9c1ae1df300a51227ce08e9943c597cc
Instruction Fuzzy Hash: BFA15036E102059FCF15DFB4C84499EBBB2FFC5300B15866AE806AB261DB71D945DF40

Function 07B23888 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa704497b3fa4a68ce28d6302d16400fc89f0d340099e04b547c015e5acb6de
Instruction ID: cbe81fdea0bfdf6b7105101688406e5c6c70bd20e6d31efdd68c76efd2cc529e
Opcode Fuzzy Hash: ffa704497b3fa4a68ce28d6302d16400fc89f0d340099e04b547c015e5acb6de
Instruction Fuzzy Hash: 66D1197182075ACACB01EB64D9546D9F7B2FF99300F50DB9AD00A3B221EB706ED5CB91

Function 07B20016 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce05abddf010386006bea9cf6cc83cffb6e532421bd5b5ca9f9b25caaee19391
Instruction ID: a15bbb233f6d6ee8137b9eaea05a1ab36872ce1cc589b267a346694effbf132e
Opcode Fuzzy Hash: ce05abddf010386006bea9cf6cc83cffb6e532421bd5b5ca9f9b25caaee19391
Instruction Fuzzy Hash: 03C183B5E016288FDB58DF6AC944ADDBBF2AF89300F14C1E9D409AB365DB305E858F50

Function 07B2C38F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7718c6352a82fa528ca90807c93e5e5f50e989e17b44761e315a1821c1c0cbe1
Instruction ID: 6cc02ed68963a4c2f67bc574aca2464868c44551da038e01ff85831f422c12b9
Opcode Fuzzy Hash: 7718c6352a82fa528ca90807c93e5e5f50e989e17b44761e315a1821c1c0cbe1
Instruction Fuzzy Hash: 2D513DB0E052198FDB14CFA9C5805AEFBF6FF89304F1481AAD418AB256D7359D42CFA1

Function 07B2CC18 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb850b553e5e66aef0baced11ea1a8ca4665017cb2f92f657200390a61c8507d
Instruction ID: 253f1ce41f2f073ba76f396c0deeec087e8a3286e8f58c19d5dffd330199a46b
Opcode Fuzzy Hash: cb850b553e5e66aef0baced11ea1a8ca4665017cb2f92f657200390a61c8507d
Instruction Fuzzy Hash: BC5129B4E002298FDB14CFA9D5805EEFBF6FF89305F2481AAD418AB215C7315942CFA1

Function 07B2C7D8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1366222117.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b20000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f304bb1b4aff9b35d15ed78d584ae0a0db0bab38315bd0d9e3b81c792d236cc
Instruction ID: a79304d35ef111c88fd3d93f418122a19e609377ee29118c81422540873732e0
Opcode Fuzzy Hash: 7f304bb1b4aff9b35d15ed78d584ae0a0db0bab38315bd0d9e3b81c792d236cc
Instruction Fuzzy Hash: 3451F8B0E012298FDB14CFA9C5445AEFBF6FF89305F2481AAD418AB215D7319D42DFA1

Analysis Process: Quote5000AFC.exePID: 7232, Parent PID: 2656COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 0105C111 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0105C19F

Memory Dump Source

Source File: 00000006.00000002.2574898835.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Quote5000AFC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8b1fc2b37fd4e0a2993877e39c1358c5c8a6500fe247e8c46382d2992eb9b1f
Instruction ID: a85efdf5f267f3b0739d668e5d01f3ed9b348d9cfa781b654f1e2a83bbcab34f
Opcode Fuzzy Hash: d8b1fc2b37fd4e0a2993877e39c1358c5c8a6500fe247e8c46382d2992eb9b1f
Instruction Fuzzy Hash: 2B21E5B5900249AFDB10CFAAD984ADEBFF8FB48310F14841AE954A3350D374A940CFA5

Function 0105C118 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0105C19F

Memory Dump Source

Source File: 00000006.00000002.2574898835.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Quote5000AFC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2ca9eb4f91b272f18d810ab51ed8078c36dacb8c57daac869f235d5e3c36e0fe
Instruction ID: 9857ba21ef9cf42bb37eb796d5db333143da96d5be7a4876754a378d40f83ef2
Opcode Fuzzy Hash: 2ca9eb4f91b272f18d810ab51ed8078c36dacb8c57daac869f235d5e3c36e0fe
Instruction Fuzzy Hash: 3921E4B59003499FDB10CFAAD984ADEBBF8EB48310F14801AE954A3350D374A940CFA5

Function 0100D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2574534590.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff01ad56f1e7759bf29e870b48c7c2348579480020ba6cbf0e671a7d93f0110d
Instruction ID: 1ad5a9672735f970168b7b0fa94aa25571302d1fedc70612ea3ee96c7de43a7e
Opcode Fuzzy Hash: ff01ad56f1e7759bf29e870b48c7c2348579480020ba6cbf0e671a7d93f0110d
Instruction Fuzzy Hash: BA21D371604344DFEB16DF94D9C0B16BBA5EB84314F24C5A9E98E4B286C336D447CB72

Function 0100D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2574534590.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100d000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 97692efe647c8ca64b0073d768fad13e89bcabfc8c371df19709cb0fdda6e10d
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: F1118B75504280DFDB16CF94D5C4B15BBA2FB84314F28C6AAE8494B696C33AD44ACBA2

Function 00FFD628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2574473577.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ffd000_Quote5000AFC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6c343f7a796a737836fbb251a2bfdd7d5d9ab1dd46e442085eaceb2063b9fe
Instruction ID: 9ab6c3641fc9544e5cf305b2235224b271a7945d8ead1a91cc06669acdd10b86
Opcode Fuzzy Hash: 7d6c343f7a796a737836fbb251a2bfdd7d5d9ab1dd46e442085eaceb2063b9fe
Instruction Fuzzy Hash: F8F06271404344AFEB208A16D984B66FBD8EF51735F18C45AED0C4A296C27A9844DAB2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quote5000AFC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote5000AFC.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ncsqrif.sd5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0ylyocw.woh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vys4gmwa.to5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrllasph.01l.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Quote5000AFC.exe

Function 07B20040 Relevance: 2.3, Strings: 1, Instructions: 1022
COMMON

Function 07B2EB98 Relevance: 3.1, APIs: 2, Instructions: 97
threadCOMMON

Function 07B2F3EE Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Function 07B2F3F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 057AAEB7 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Function 057A44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 057A590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 07B2F168 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Function 07B2F170 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07B2F258 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 057ABC40 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 07B2F260 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 07B2EBA0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 07B2F0A8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre