Windows Analysis Report
906982022050120220531MES_S Quote.exe

Overview

General Information

Sample name: 906982022050120220531MES_S Quote.exe
Analysis ID: 1519323
MD5: 97517a596568472e97648096551266ce
SHA1: b59e636deb429abd8213ca4edc14c44106ca8fab
SHA256: b991841036289e1775750f4e841f0b2af835779fd1b9bcd2ccdfd8b579727bbf
Tags: exeFormbookuser-cocaman
Infos:

Detection

FormBook
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 906982022050120220531MES_S Quote.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2299717834.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2299413776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 906982022050120220531MES_S Quote.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 906982022050120220531MES_S Quote.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 906982022050120220531MES_S Quote.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: jjmV.pdb source: 906982022050120220531MES_S Quote.exe
Source: Binary string: wntdll.pdbUGP source: 906982022050120220531MES_S Quote.exe, 00000005.00000002.2300193411.0000000000F30000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: jjmV.pdbSHA256 source: 906982022050120220531MES_S Quote.exe
Source: Binary string: wntdll.pdb source: 906982022050120220531MES_S Quote.exe, 906982022050120220531MES_S Quote.exe, 00000005.00000002.2300193411.0000000000F30000.00000040.00001000.00020000.00000000.sdmp
Source: 906982022050120220531MES_S Quote.exe, 00000000.00000002.2040724555.0000000003047000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2299717834.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2299413776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2299717834.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2299413776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0042CAF3 NtClose, 5_2_0042CAF3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2B60 NtClose,LdrInitializeThunk, 5_2_00FA2B60
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_00FA2C70
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_00FA2DF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA35C0 NtCreateMutant,LdrInitializeThunk, 5_2_00FA35C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA4340 NtSetContextThread, 5_2_00FA4340
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA4650 NtSuspendThread, 5_2_00FA4650
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2AF0 NtWriteFile, 5_2_00FA2AF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2AD0 NtReadFile, 5_2_00FA2AD0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2AB0 NtWaitForSingleObject, 5_2_00FA2AB0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2BF0 NtAllocateVirtualMemory, 5_2_00FA2BF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2BE0 NtQueryValueKey, 5_2_00FA2BE0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2BA0 NtEnumerateValueKey, 5_2_00FA2BA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2B80 NtQueryInformationFile, 5_2_00FA2B80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2CF0 NtOpenProcess, 5_2_00FA2CF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2CC0 NtQueryVirtualMemory, 5_2_00FA2CC0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2CA0 NtQueryInformationToken, 5_2_00FA2CA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2C60 NtCreateKey, 5_2_00FA2C60
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2C00 NtQueryInformationProcess, 5_2_00FA2C00
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2DD0 NtDelayExecution, 5_2_00FA2DD0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2DB0 NtEnumerateKey, 5_2_00FA2DB0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2D30 NtUnmapViewOfSection, 5_2_00FA2D30
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2D10 NtMapViewOfSection, 5_2_00FA2D10
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2D00 NtSetInformationFile, 5_2_00FA2D00
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2EE0 NtQueueApcThread, 5_2_00FA2EE0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2EA0 NtAdjustPrivilegesToken, 5_2_00FA2EA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2E80 NtReadVirtualMemory, 5_2_00FA2E80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2E30 NtWriteVirtualMemory, 5_2_00FA2E30
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2FE0 NtCreateFile, 5_2_00FA2FE0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2FB0 NtResumeThread, 5_2_00FA2FB0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2FA0 NtQuerySection, 5_2_00FA2FA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2F90 NtProtectVirtualMemory, 5_2_00FA2F90
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2F60 NtCreateProcessEx, 5_2_00FA2F60
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2F30 NtCreateSection, 5_2_00FA2F30
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA3090 NtSetValueKey, 5_2_00FA3090
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA3010 NtOpenDirectoryObject, 5_2_00FA3010
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA39B0 NtGetContextThread, 5_2_00FA39B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA3D70 NtOpenThread, 5_2_00FA3D70
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA3D10 NtOpenProcessToken, 5_2_00FA3D10
Detected potential crypto function
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 0_2_02DADE4C 0_2_02DADE4C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 0_2_054C7368 0_2_054C7368
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 0_2_054C0040 0_2_054C0040
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 0_2_054C0006 0_2_054C0006
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 0_2_054C7358 0_2_054C7358
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 0_2_0AE80738 0_2_0AE80738
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 0_2_0AE833B0 0_2_0AE833B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00402800 5_2_00402800
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004010C0 5_2_004010C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0042F0D3 5_2_0042F0D3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00401210 5_2_00401210
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004034F5 5_2_004034F5
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004104A3 5_2_004104A3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00403500 5_2_00403500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004025D4 5_2_004025D4
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004025DC 5_2_004025DC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004025E0 5_2_004025E0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00416E03 5_2_00416E03
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004106C3 5_2_004106C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0040E743 5_2_0040E743
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00402FCF 5_2_00402FCF
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00402FD0 5_2_00402FD0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004027F3 5_2_004027F3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100A118 5_2_0100A118
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010241A2 5_2_010241A2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010301AA 5_2_010301AA
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010281CC 5_2_010281CC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF8158 5_2_00FF8158
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60100 5_2_00F60100
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF02C0 5_2_00FF02C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102A352 5_2_0102A352
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010303E6 5_2_010303E6
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E3F0 5_2_00F7E3F0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01030591 5_2_01030591
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01014420 5_2_01014420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01022446 5_2_01022446
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70535 5_2_00F70535
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101E4F6 5_2_0101E4F6
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8C6E0 5_2_00F8C6E0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6C7C0 5_2_00F6C7C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F94750 5_2_00F94750
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E8F0 5_2_00F9E8F0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F568B8 5_2_00F568B8
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0103A9A6 5_2_0103A9A6
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F72840 5_2_00F72840
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7A840 5_2_00F7A840
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F86962 5_2_00F86962
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102AB40 5_2_0102AB40
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01026BD7 5_2_01026BD7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60CF2 5_2_00F60CF2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100CD1F 5_2_0100CD1F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70C00 5_2_00F70C00
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6ADE0 5_2_00F6ADE0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F88DBF 5_2_00F88DBF
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010CB5 5_2_01010CB5
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7AD00 5_2_00F7AD00
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01012F30 5_2_01012F30
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F82E90 5_2_00F82E90
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70E59 5_2_00F70E59
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7CFE0 5_2_00F7CFE0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102EE26 5_2_0102EE26
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F62FC8 5_2_00F62FC8
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEEFA0 5_2_00FEEFA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102CE93 5_2_0102CE93
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE4F40 5_2_00FE4F40
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F90F30 5_2_00F90F30
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB2F28 5_2_00FB2F28
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102EEDB 5_2_0102EEDB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F770C0 5_2_00F770C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0103B16B 5_2_0103B16B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7B1B0 5_2_00F7B1B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5F172 5_2_00F5F172
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA516C 5_2_00FA516C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101F0CC 5_2_0101F0CC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102F0E0 5_2_0102F0E0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010270E9 5_2_010270E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102132D 5_2_0102132D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8B2C0 5_2_00F8B2C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F752A0 5_2_00F752A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB739A 5_2_00FB739A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5D34C 5_2_00F5D34C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010112ED 5_2_010112ED
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01027571 5_2_01027571
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F61460 5_2_00F61460
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100D5B0 5_2_0100D5B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010395C3 5_2_010395C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102F43F 5_2_0102F43F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102F7B0 5_2_0102F7B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB5630 5_2_00FB5630
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010216CC 5_2_010216CC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01005910 5_2_01005910
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F738E0 5_2_00F738E0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDD800 5_2_00FDD800
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F79950 5_2_00F79950
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8B950 5_2_00F8B950
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB5AA0 5_2_00FB5AA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102FB76 5_2_0102FB76
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE3A6C 5_2_00FE3A6C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FADBF9 5_2_00FADBF9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE5BF0 5_2_00FE5BF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01027A46 5_2_01027A46
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102FA49 5_2_0102FA49
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8FB80 5_2_00F8FB80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01011AA3 5_2_01011AA3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100DAAC 5_2_0100DAAC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101DAC6 5_2_0101DAC6
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01021D5A 5_2_01021D5A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01027D73 5_2_01027D73
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE9C32 5_2_00FE9C32
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8FDC0 5_2_00F8FDC0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F73D40 5_2_00F73D40
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102FCF2 5_2_0102FCF2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102FF09 5_2_0102FF09
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F79EB0 5_2_00F79EB0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102FFB1 5_2_0102FFB1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F33FD2 5_2_00F33FD2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F33FD5 5_2_00F33FD5
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F71F92 5_2_00F71F92
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: String function: 00FB7E54 appears 111 times
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: String function: 00F5B970 appears 280 times
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: String function: 00FA5130 appears 58 times
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: String function: 00FEF290 appears 105 times
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: String function: 00FDEA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: 906982022050120220531MES_S Quote.exe, 00000000.00000000.2028049130.0000000000C2C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamejjmV.exeD vs 906982022050120220531MES_S Quote.exe
Source: 906982022050120220531MES_S Quote.exe, 00000000.00000002.2039584831.000000000107E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 906982022050120220531MES_S Quote.exe
Source: 906982022050120220531MES_S Quote.exe, 00000000.00000002.2065983439.0000000007510000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 906982022050120220531MES_S Quote.exe
Source: 906982022050120220531MES_S Quote.exe, 00000005.00000002.2300193411.000000000105D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 906982022050120220531MES_S Quote.exe
Source: 906982022050120220531MES_S Quote.exe Binary or memory string: OriginalFilenamejjmV.exeD vs 906982022050120220531MES_S Quote.exe
Uses 32bit PE files
Source: 906982022050120220531MES_S Quote.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2299717834.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2299413776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 906982022050120220531MES_S Quote.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, bXaHtglU9GelNmTyIN.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, bXaHtglU9GelNmTyIN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, kNx15R37GKnWQBMmYJ.cs Security API names: _0020.SetAccessControl
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, kNx15R37GKnWQBMmYJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, kNx15R37GKnWQBMmYJ.cs Security API names: _0020.AddAccessRule
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, bXaHtglU9GelNmTyIN.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, bXaHtglU9GelNmTyIN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, kNx15R37GKnWQBMmYJ.cs Security API names: _0020.SetAccessControl
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, kNx15R37GKnWQBMmYJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, kNx15R37GKnWQBMmYJ.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal96.troj.evad.winEXE@6/6@0/0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\906982022050120220531MES_S Quote.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4cowmdch.xfy.ps1 Jump to behavior
Source: 906982022050120220531MES_S Quote.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 906982022050120220531MES_S Quote.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 906982022050120220531MES_S Quote.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe"
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe"
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe" Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe" Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 906982022050120220531MES_S Quote.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 906982022050120220531MES_S Quote.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 906982022050120220531MES_S Quote.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: jjmV.pdb source: 906982022050120220531MES_S Quote.exe
Source: Binary string: wntdll.pdbUGP source: 906982022050120220531MES_S Quote.exe, 00000005.00000002.2300193411.0000000000F30000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: jjmV.pdbSHA256 source: 906982022050120220531MES_S Quote.exe
Source: Binary string: wntdll.pdb source: 906982022050120220531MES_S Quote.exe, 906982022050120220531MES_S Quote.exe, 00000005.00000002.2300193411.0000000000F30000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 906982022050120220531MES_S Quote.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, kNx15R37GKnWQBMmYJ.cs .Net Code: uKEscrOKZ9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.906982022050120220531MES_S Quote.exe.307d9b4.1.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.906982022050120220531MES_S Quote.exe.7ea0000.6.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.906982022050120220531MES_S Quote.exe.307439c.0.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.906982022050120220531MES_S Quote.exe.302e94c.3.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, kNx15R37GKnWQBMmYJ.cs .Net Code: uKEscrOKZ9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.906982022050120220531MES_S Quote.exe.3025334.2.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: 906982022050120220531MES_S Quote.exe Static PE information: 0xBC60C711 [Mon Feb 24 09:17:05 2070 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_004150A8 push ss; iretd 5_2_004150B9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00414143 push ebp; iretd 5_2_00414189
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00406377 push es; ret 5_2_00406381
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0041FBDB push ebp; ret 5_2_0041FBDC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00411D04 pushad ; retf 5_2_00411D2D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00403780 push eax; ret 5_2_00403782
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F3225F pushad ; ret 5_2_00F327F9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F327FA pushad ; ret 5_2_00F327F9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F3283D push eax; iretd 5_2_00F32858
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F609AD push ecx; mov dword ptr [esp], ecx 5_2_00F609B6
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F31366 push eax; iretd 5_2_00F31369
Source: 906982022050120220531MES_S Quote.exe Static PE information: section name: .text entropy: 7.877466323422058
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, Ij4aIEYEmF4AIQUJCH.cs High entropy of concatenated method names: 'ToString', 'eRixoLZAJa', 'lZEx7uMG1X', 'ab7xwLFxa1', 'j9txRyyjQV', 'C1NxddgY1h', 'telxHLidns', 'CQnxXG9Kfm', 'KBXx50ywMH', 'WsIxCCecpt'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, KraSQDSR60meKs1GWc.cs High entropy of concatenated method names: 'fhwKThp4C1', 'dfBK77TDJ6', 'VtCKwQUQfE', 'JgBKR27X9v', 'dsTKOIi1pW', 'NpgKdi8dZg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, CLcbWcb9mZDK3d8A9K.cs High entropy of concatenated method names: 'Tv7mAHUNoh', 'fZ5maFhKQS', 'ynxfwoEDFW', 'im3fRIRblb', 'x8xfd32qFv', 'K9tfHgIyju', 'GyTfXnrO2l', 'V6xf5xWZ0R', 'LgYfCCWNP4', 'vqkfUtZuM8'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, xFFYTkJhlLtsvdmgp3.cs High entropy of concatenated method names: 'Dispose', 'tubPSdASYE', 'AZS07CRikD', 'Jtlhh1PVkB', 'zgQPqS4Gdl', 'jEqPzuoXks', 'ProcessDialogKey', 'gcH0IraSQD', 'I600PmeKs1', 'PWc008dyDv'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, kNx15R37GKnWQBMmYJ.cs High entropy of concatenated method names: 'lg9t6JZlks', 'v1rtZO2Dva', 'P1itJGEjB0', 'OmRtfAE4DF', 'TrUtm4XVqf', 'pkft4l9fV7', 'C5FtpaN4tb', 'BPSt3FKAYZ', 'OBstEY9rpf', 'lCvtDQktll'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, KJIAiYPtf1ba0qVwldP.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TSXgOBHO4I', 'L2ZgNUq5Ij', 'Py5gY6fcYJ', 'cHvgF4lJXR', 'BN4gMUWFwC', 'xgbgkvqqQZ', 'NPCgBn5cLs'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, bXaHtglU9GelNmTyIN.cs High entropy of concatenated method names: 'kdsJOcqSyH', 'XGgJNOnZ9p', 'sWFJYx81We', 'IwSJFhCPkx', 'y7NJMnq7gW', 'rICJke8q7h', 'RlPJB5lYxd', 'tf5JnNlBx6', 'Qn1JSMd5KI', 'a6eJq5vyoU'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, qdyDvRqZZlZjspRefR.cs High entropy of concatenated method names: 'twPyPkX4eJ', 'QcVytoZTyP', 'KuAys9Ty0N', 'v2FyZ2dLJ5', 'ooZyJavicj', 'dZGymo0DJl', 'tHty4spBks', 'NtiKBr0Z19', 'yeQKngcPVl', 'bOEKSd7qHq'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, IaBq5ZOtAYED4sI0HK.cs High entropy of concatenated method names: 'T7nhUKbQ2u', 'EHdhGDSV0J', 'g2PhO2agSx', 'BhKhN1XlHI', 'qolh7QjQf5', 'ALWhw1iXjA', 'rCThR1XCKZ', 'VSlhdM6B75', 'h9lhHBg5oD', 'PTohXotyen'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, UDA7BRXA9rqXRh4oXl.cs High entropy of concatenated method names: 'u7upZU8EmC', 'bEhpf1Bw2u', 'ETKp4Rw42N', 'JkT4qVxBLK', 'SF64zJ9PyG', 'YlfpIqLpeo', 'NcOpPSCm7j', 'QWDp0ceayZ', 'OKSptPeqsI', 'cUQpsOpt2A'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, HLDjHrWof68a51id4R.cs High entropy of concatenated method names: 'DNIvl2BaCK', 'rvqv14xjid', 'kjKvTy1ENO', 'YHKv7m1nlQ', 'acjvRCHtGV', 'aB2vdPhgpb', 'pPEvXgx9Qh', 'GJFv5eCBeb', 'osbvUqMcbb', 'NQjvo1W4T4'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, LFE5PYk8druYBAT3rf.cs High entropy of concatenated method names: 'KLU8ngXGjr', 'b3N8qZ1Zmq', 'eIZKIsFdFD', 'vqGKPWIC1F', 'LtA8oKlCYF', 'Iyw8GBUXkC', 'IHk8WPo9xm', 'T5H8OZLpmu', 'kk48NfY7Q2', 'fgW8YGSrdF'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, UsGg1fCNjTiN2pYhrS.cs High entropy of concatenated method names: 'H3hp9GpW8t', 'lAApL5LspS', 'WwZpcoC3lk', 'llMpra5tEX', 'avmpAkdJDv', 'pIQputPBDY', 'gOopa5fnNN', 'k8qplUrXHc', 'BxWp1qxVLT', 'Wkwpbfi7vi'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, zU10lsTfLuy2B41iOG.cs High entropy of concatenated method names: 'zUC46bSYHa', 'Xxw4JVPXIe', 'FbD4mhMpbG', 'P9U4p0BVI5', 'EjS43o5cHQ', 'kpymMiyxB0', 'xpwmkcNuwR', 'Ps7mBtIphn', 'sKfmnKvLHq', 'rxXmSTWjhq'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, K9cFSe0WTUoLHYOFmO.cs High entropy of concatenated method names: 'FF3cW8Dbf', 'h0jrD0Ymi', 'tdeuV7xNx', 'aBWaJDZrj', 'ucS1ly3Sh', 'MxIbXR6J0', 'A8gOYIcP8hxpU53Igg', 'd7gEhYv6r2iljhKMIh', 'hPV07F2Si5CtfVmXb6', 'OAIKsxe9n'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, gXOJuezNLUvPMepUd1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NBPyvDf6V9', 'Rp7yhWSiAp', 'Uhfyx5ZQKE', 'oEvy8ZG5Us', 'dXdyKCtHRl', 'u36yyxdoOH', 'xcAyg14XsS'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, tQS4GdnlpEquoXksfc.cs High entropy of concatenated method names: 'MDHKZwAgJ3', 'xhRKJdkUVR', 'vJFKf5RFTr', 'PsFKmddTvc', 'DSaK4EcuQY', 'WUEKpZYkwl', 'tuuK3a6nsA', 'MLyKEeNYkx', 'Tj6KD1dW9B', 'VsbKe7kV7w'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, kXFPqtPIXBI7o1ErNZv.cs High entropy of concatenated method names: 'EPMy91AYtK', 'RhvyL20TfQ', 'gZbycocStx', 'J2HyrNAT8l', 'LW1yAWVYWJ', 'fRIyu6bLgZ', 'wlLyaiVdMc', 'Towyl8SXTh', 'CdBy1YA6lB', 'NvOybVvXv4'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, F5UdfJsd9dngsvYPVi.cs High entropy of concatenated method names: 'lR0PpXaHtg', 'N9GP3elNmT', 'm1ZPDPGYaO', 'etFPegaLcb', 'J8APh9KcU1', 'blsPxfLuy2', 'fuIWqRX597yXrassy1', 'wY57Tsd9BWXDQV1s2K', 'VtkPPNFclE', 'nkEPt40uV5'
Source: 0.2.906982022050120220531MES_S Quote.exe.7510000.5.raw.unpack, sROX9D11ZPGYaOstFg.cs High entropy of concatenated method names: 'FDxfryaleB', 'D02fuhd2iV', 'DHlfleqhUF', 'Btlf1mtJks', 'WqZfhYC4qR', 'dAufx24siB', 'srUf8oAWvv', 'kxmfKmhob8', 'EDxfymaHN6', 'p0JfgbhMIL'
Source: 0.2.906982022050120220531MES_S Quote.exe.307d9b4.1.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.906982022050120220531MES_S Quote.exe.7ea0000.6.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.906982022050120220531MES_S Quote.exe.307439c.0.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.906982022050120220531MES_S Quote.exe.302e94c.3.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, Ij4aIEYEmF4AIQUJCH.cs High entropy of concatenated method names: 'ToString', 'eRixoLZAJa', 'lZEx7uMG1X', 'ab7xwLFxa1', 'j9txRyyjQV', 'C1NxddgY1h', 'telxHLidns', 'CQnxXG9Kfm', 'KBXx50ywMH', 'WsIxCCecpt'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, KraSQDSR60meKs1GWc.cs High entropy of concatenated method names: 'fhwKThp4C1', 'dfBK77TDJ6', 'VtCKwQUQfE', 'JgBKR27X9v', 'dsTKOIi1pW', 'NpgKdi8dZg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, CLcbWcb9mZDK3d8A9K.cs High entropy of concatenated method names: 'Tv7mAHUNoh', 'fZ5maFhKQS', 'ynxfwoEDFW', 'im3fRIRblb', 'x8xfd32qFv', 'K9tfHgIyju', 'GyTfXnrO2l', 'V6xf5xWZ0R', 'LgYfCCWNP4', 'vqkfUtZuM8'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, xFFYTkJhlLtsvdmgp3.cs High entropy of concatenated method names: 'Dispose', 'tubPSdASYE', 'AZS07CRikD', 'Jtlhh1PVkB', 'zgQPqS4Gdl', 'jEqPzuoXks', 'ProcessDialogKey', 'gcH0IraSQD', 'I600PmeKs1', 'PWc008dyDv'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, kNx15R37GKnWQBMmYJ.cs High entropy of concatenated method names: 'lg9t6JZlks', 'v1rtZO2Dva', 'P1itJGEjB0', 'OmRtfAE4DF', 'TrUtm4XVqf', 'pkft4l9fV7', 'C5FtpaN4tb', 'BPSt3FKAYZ', 'OBstEY9rpf', 'lCvtDQktll'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, KJIAiYPtf1ba0qVwldP.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TSXgOBHO4I', 'L2ZgNUq5Ij', 'Py5gY6fcYJ', 'cHvgF4lJXR', 'BN4gMUWFwC', 'xgbgkvqqQZ', 'NPCgBn5cLs'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, bXaHtglU9GelNmTyIN.cs High entropy of concatenated method names: 'kdsJOcqSyH', 'XGgJNOnZ9p', 'sWFJYx81We', 'IwSJFhCPkx', 'y7NJMnq7gW', 'rICJke8q7h', 'RlPJB5lYxd', 'tf5JnNlBx6', 'Qn1JSMd5KI', 'a6eJq5vyoU'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, qdyDvRqZZlZjspRefR.cs High entropy of concatenated method names: 'twPyPkX4eJ', 'QcVytoZTyP', 'KuAys9Ty0N', 'v2FyZ2dLJ5', 'ooZyJavicj', 'dZGymo0DJl', 'tHty4spBks', 'NtiKBr0Z19', 'yeQKngcPVl', 'bOEKSd7qHq'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, IaBq5ZOtAYED4sI0HK.cs High entropy of concatenated method names: 'T7nhUKbQ2u', 'EHdhGDSV0J', 'g2PhO2agSx', 'BhKhN1XlHI', 'qolh7QjQf5', 'ALWhw1iXjA', 'rCThR1XCKZ', 'VSlhdM6B75', 'h9lhHBg5oD', 'PTohXotyen'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, UDA7BRXA9rqXRh4oXl.cs High entropy of concatenated method names: 'u7upZU8EmC', 'bEhpf1Bw2u', 'ETKp4Rw42N', 'JkT4qVxBLK', 'SF64zJ9PyG', 'YlfpIqLpeo', 'NcOpPSCm7j', 'QWDp0ceayZ', 'OKSptPeqsI', 'cUQpsOpt2A'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, HLDjHrWof68a51id4R.cs High entropy of concatenated method names: 'DNIvl2BaCK', 'rvqv14xjid', 'kjKvTy1ENO', 'YHKv7m1nlQ', 'acjvRCHtGV', 'aB2vdPhgpb', 'pPEvXgx9Qh', 'GJFv5eCBeb', 'osbvUqMcbb', 'NQjvo1W4T4'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, LFE5PYk8druYBAT3rf.cs High entropy of concatenated method names: 'KLU8ngXGjr', 'b3N8qZ1Zmq', 'eIZKIsFdFD', 'vqGKPWIC1F', 'LtA8oKlCYF', 'Iyw8GBUXkC', 'IHk8WPo9xm', 'T5H8OZLpmu', 'kk48NfY7Q2', 'fgW8YGSrdF'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, UsGg1fCNjTiN2pYhrS.cs High entropy of concatenated method names: 'H3hp9GpW8t', 'lAApL5LspS', 'WwZpcoC3lk', 'llMpra5tEX', 'avmpAkdJDv', 'pIQputPBDY', 'gOopa5fnNN', 'k8qplUrXHc', 'BxWp1qxVLT', 'Wkwpbfi7vi'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, zU10lsTfLuy2B41iOG.cs High entropy of concatenated method names: 'zUC46bSYHa', 'Xxw4JVPXIe', 'FbD4mhMpbG', 'P9U4p0BVI5', 'EjS43o5cHQ', 'kpymMiyxB0', 'xpwmkcNuwR', 'Ps7mBtIphn', 'sKfmnKvLHq', 'rxXmSTWjhq'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, K9cFSe0WTUoLHYOFmO.cs High entropy of concatenated method names: 'FF3cW8Dbf', 'h0jrD0Ymi', 'tdeuV7xNx', 'aBWaJDZrj', 'ucS1ly3Sh', 'MxIbXR6J0', 'A8gOYIcP8hxpU53Igg', 'd7gEhYv6r2iljhKMIh', 'hPV07F2Si5CtfVmXb6', 'OAIKsxe9n'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, gXOJuezNLUvPMepUd1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NBPyvDf6V9', 'Rp7yhWSiAp', 'Uhfyx5ZQKE', 'oEvy8ZG5Us', 'dXdyKCtHRl', 'u36yyxdoOH', 'xcAyg14XsS'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, tQS4GdnlpEquoXksfc.cs High entropy of concatenated method names: 'MDHKZwAgJ3', 'xhRKJdkUVR', 'vJFKf5RFTr', 'PsFKmddTvc', 'DSaK4EcuQY', 'WUEKpZYkwl', 'tuuK3a6nsA', 'MLyKEeNYkx', 'Tj6KD1dW9B', 'VsbKe7kV7w'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, kXFPqtPIXBI7o1ErNZv.cs High entropy of concatenated method names: 'EPMy91AYtK', 'RhvyL20TfQ', 'gZbycocStx', 'J2HyrNAT8l', 'LW1yAWVYWJ', 'fRIyu6bLgZ', 'wlLyaiVdMc', 'Towyl8SXTh', 'CdBy1YA6lB', 'NvOybVvXv4'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, F5UdfJsd9dngsvYPVi.cs High entropy of concatenated method names: 'lR0PpXaHtg', 'N9GP3elNmT', 'm1ZPDPGYaO', 'etFPegaLcb', 'J8APh9KcU1', 'blsPxfLuy2', 'fuIWqRX597yXrassy1', 'wY57Tsd9BWXDQV1s2K', 'VtkPPNFclE', 'nkEPt40uV5'
Source: 0.2.906982022050120220531MES_S Quote.exe.42b9e30.4.raw.unpack, sROX9D11ZPGYaOstFg.cs High entropy of concatenated method names: 'FDxfryaleB', 'D02fuhd2iV', 'DHlfleqhUF', 'Btlf1mtJks', 'WqZfhYC4qR', 'dAufx24siB', 'srUf8oAWvv', 'kxmfKmhob8', 'EDxfymaHN6', 'p0JfgbhMIL'
Source: 0.2.906982022050120220531MES_S Quote.exe.3025334.2.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 906982022050120220531MES_S Quote.exe PID: 6640, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: 1590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: 2DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: 8100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: 9100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: 92C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: A2C0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA096E rdtsc 5_2_00FA096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5165 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1859 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe API coverage: 0.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe TID: 6600 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe TID: 4836 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 906982022050120220531MES_S Quote.exe, 00000000.00000002.2039584831.00000000010B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: 906982022050120220531MES_S Quote.exe, 00000000.00000002.2039584831.00000000010B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\@
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA096E rdtsc 5_2_00FA096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00417DB3 LdrLoadDll, 5_2_00417DB3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5C0F0 mov eax, dword ptr fs:[00000030h] 5_2_00F5C0F0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA20F0 mov ecx, dword ptr fs:[00000030h] 5_2_00FA20F0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov eax, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov ecx, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov eax, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov eax, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov ecx, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov eax, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov eax, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov ecx, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov eax, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E10E mov ecx, dword ptr fs:[00000030h] 5_2_0100E10E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_00F5A0E3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01020115 mov eax, dword ptr fs:[00000030h] 5_2_01020115
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100A118 mov ecx, dword ptr fs:[00000030h] 5_2_0100A118
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100A118 mov eax, dword ptr fs:[00000030h] 5_2_0100A118
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100A118 mov eax, dword ptr fs:[00000030h] 5_2_0100A118
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100A118 mov eax, dword ptr fs:[00000030h] 5_2_0100A118
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE60E0 mov eax, dword ptr fs:[00000030h] 5_2_00FE60E0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F680E9 mov eax, dword ptr fs:[00000030h] 5_2_00F680E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE20DE mov eax, dword ptr fs:[00000030h] 5_2_00FE20DE
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F580A0 mov eax, dword ptr fs:[00000030h] 5_2_00F580A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF80A8 mov eax, dword ptr fs:[00000030h] 5_2_00FF80A8
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034164 mov eax, dword ptr fs:[00000030h] 5_2_01034164
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034164 mov eax, dword ptr fs:[00000030h] 5_2_01034164
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6208A mov eax, dword ptr fs:[00000030h] 5_2_00F6208A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01004180 mov eax, dword ptr fs:[00000030h] 5_2_01004180
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01004180 mov eax, dword ptr fs:[00000030h] 5_2_01004180
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101C188 mov eax, dword ptr fs:[00000030h] 5_2_0101C188
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101C188 mov eax, dword ptr fs:[00000030h] 5_2_0101C188
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8C073 mov eax, dword ptr fs:[00000030h] 5_2_00F8C073
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F62050 mov eax, dword ptr fs:[00000030h] 5_2_00F62050
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6050 mov eax, dword ptr fs:[00000030h] 5_2_00FE6050
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010261C3 mov eax, dword ptr fs:[00000030h] 5_2_010261C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010261C3 mov eax, dword ptr fs:[00000030h] 5_2_010261C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF6030 mov eax, dword ptr fs:[00000030h] 5_2_00FF6030
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5A020 mov eax, dword ptr fs:[00000030h] 5_2_00F5A020
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5C020 mov eax, dword ptr fs:[00000030h] 5_2_00F5C020
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E016 mov eax, dword ptr fs:[00000030h] 5_2_00F7E016
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E016 mov eax, dword ptr fs:[00000030h] 5_2_00F7E016
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E016 mov eax, dword ptr fs:[00000030h] 5_2_00F7E016
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E016 mov eax, dword ptr fs:[00000030h] 5_2_00F7E016
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010361E5 mov eax, dword ptr fs:[00000030h] 5_2_010361E5
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE4000 mov ecx, dword ptr fs:[00000030h] 5_2_00FE4000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01002000 mov eax, dword ptr fs:[00000030h] 5_2_01002000
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F901F8 mov eax, dword ptr fs:[00000030h] 5_2_00F901F8
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE1D0 mov eax, dword ptr fs:[00000030h] 5_2_00FDE1D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE1D0 mov eax, dword ptr fs:[00000030h] 5_2_00FDE1D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE1D0 mov ecx, dword ptr fs:[00000030h] 5_2_00FDE1D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE1D0 mov eax, dword ptr fs:[00000030h] 5_2_00FDE1D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE1D0 mov eax, dword ptr fs:[00000030h] 5_2_00FDE1D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE019F mov eax, dword ptr fs:[00000030h] 5_2_00FE019F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE019F mov eax, dword ptr fs:[00000030h] 5_2_00FE019F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE019F mov eax, dword ptr fs:[00000030h] 5_2_00FE019F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE019F mov eax, dword ptr fs:[00000030h] 5_2_00FE019F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5A197 mov eax, dword ptr fs:[00000030h] 5_2_00F5A197
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5A197 mov eax, dword ptr fs:[00000030h] 5_2_00F5A197
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5A197 mov eax, dword ptr fs:[00000030h] 5_2_00F5A197
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA0185 mov eax, dword ptr fs:[00000030h] 5_2_00FA0185
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66154 mov eax, dword ptr fs:[00000030h] 5_2_00F66154
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66154 mov eax, dword ptr fs:[00000030h] 5_2_00F66154
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5C156 mov eax, dword ptr fs:[00000030h] 5_2_00F5C156
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF8158 mov eax, dword ptr fs:[00000030h] 5_2_00FF8158
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010260B8 mov eax, dword ptr fs:[00000030h] 5_2_010260B8
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010260B8 mov ecx, dword ptr fs:[00000030h] 5_2_010260B8
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF4144 mov eax, dword ptr fs:[00000030h] 5_2_00FF4144
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF4144 mov eax, dword ptr fs:[00000030h] 5_2_00FF4144
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF4144 mov ecx, dword ptr fs:[00000030h] 5_2_00FF4144
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF4144 mov eax, dword ptr fs:[00000030h] 5_2_00FF4144
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF4144 mov eax, dword ptr fs:[00000030h] 5_2_00FF4144
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F90124 mov eax, dword ptr fs:[00000030h] 5_2_00F90124
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F702E1 mov eax, dword ptr fs:[00000030h] 5_2_00F702E1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F702E1 mov eax, dword ptr fs:[00000030h] 5_2_00F702E1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F702E1 mov eax, dword ptr fs:[00000030h] 5_2_00F702E1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01038324 mov eax, dword ptr fs:[00000030h] 5_2_01038324
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01038324 mov ecx, dword ptr fs:[00000030h] 5_2_01038324
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01038324 mov eax, dword ptr fs:[00000030h] 5_2_01038324
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01038324 mov eax, dword ptr fs:[00000030h] 5_2_01038324
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A2C3 mov eax, dword ptr fs:[00000030h] 5_2_00F6A2C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A2C3 mov eax, dword ptr fs:[00000030h] 5_2_00F6A2C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A2C3 mov eax, dword ptr fs:[00000030h] 5_2_00F6A2C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A2C3 mov eax, dword ptr fs:[00000030h] 5_2_00F6A2C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A2C3 mov eax, dword ptr fs:[00000030h] 5_2_00F6A2C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0103634F mov eax, dword ptr fs:[00000030h] 5_2_0103634F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102A352 mov eax, dword ptr fs:[00000030h] 5_2_0102A352
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01008350 mov ecx, dword ptr fs:[00000030h] 5_2_01008350
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F702A0 mov eax, dword ptr fs:[00000030h] 5_2_00F702A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F702A0 mov eax, dword ptr fs:[00000030h] 5_2_00F702A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF62A0 mov eax, dword ptr fs:[00000030h] 5_2_00FF62A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF62A0 mov ecx, dword ptr fs:[00000030h] 5_2_00FF62A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF62A0 mov eax, dword ptr fs:[00000030h] 5_2_00FF62A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF62A0 mov eax, dword ptr fs:[00000030h] 5_2_00FF62A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF62A0 mov eax, dword ptr fs:[00000030h] 5_2_00FF62A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF62A0 mov eax, dword ptr fs:[00000030h] 5_2_00FF62A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100437C mov eax, dword ptr fs:[00000030h] 5_2_0100437C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE0283 mov eax, dword ptr fs:[00000030h] 5_2_00FE0283
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE0283 mov eax, dword ptr fs:[00000030h] 5_2_00FE0283
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE0283 mov eax, dword ptr fs:[00000030h] 5_2_00FE0283
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E284 mov eax, dword ptr fs:[00000030h] 5_2_00F9E284
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E284 mov eax, dword ptr fs:[00000030h] 5_2_00F9E284
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F64260 mov eax, dword ptr fs:[00000030h] 5_2_00F64260
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F64260 mov eax, dword ptr fs:[00000030h] 5_2_00F64260
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F64260 mov eax, dword ptr fs:[00000030h] 5_2_00F64260
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5826B mov eax, dword ptr fs:[00000030h] 5_2_00F5826B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5A250 mov eax, dword ptr fs:[00000030h] 5_2_00F5A250
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66259 mov eax, dword ptr fs:[00000030h] 5_2_00F66259
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE8243 mov eax, dword ptr fs:[00000030h] 5_2_00FE8243
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE8243 mov ecx, dword ptr fs:[00000030h] 5_2_00FE8243
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101C3CD mov eax, dword ptr fs:[00000030h] 5_2_0101C3CD
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5823B mov eax, dword ptr fs:[00000030h] 5_2_00F5823B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010043D4 mov eax, dword ptr fs:[00000030h] 5_2_010043D4
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010043D4 mov eax, dword ptr fs:[00000030h] 5_2_010043D4
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E3DB mov eax, dword ptr fs:[00000030h] 5_2_0100E3DB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E3DB mov eax, dword ptr fs:[00000030h] 5_2_0100E3DB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E3DB mov ecx, dword ptr fs:[00000030h] 5_2_0100E3DB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100E3DB mov eax, dword ptr fs:[00000030h] 5_2_0100E3DB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F963FF mov eax, dword ptr fs:[00000030h] 5_2_00F963FF
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E3F0 mov eax, dword ptr fs:[00000030h] 5_2_00F7E3F0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E3F0 mov eax, dword ptr fs:[00000030h] 5_2_00F7E3F0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E3F0 mov eax, dword ptr fs:[00000030h] 5_2_00F7E3F0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F703E9 mov eax, dword ptr fs:[00000030h] 5_2_00F703E9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F683C0 mov eax, dword ptr fs:[00000030h] 5_2_00F683C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F683C0 mov eax, dword ptr fs:[00000030h] 5_2_00F683C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F683C0 mov eax, dword ptr fs:[00000030h] 5_2_00F683C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F683C0 mov eax, dword ptr fs:[00000030h] 5_2_00F683C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A3C0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A3C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A3C0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A3C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A3C0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A3C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A3C0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A3C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A3C0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A3C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A3C0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A3C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE63C0 mov eax, dword ptr fs:[00000030h] 5_2_00FE63C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101A250 mov eax, dword ptr fs:[00000030h] 5_2_0101A250
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101A250 mov eax, dword ptr fs:[00000030h] 5_2_0101A250
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0103625D mov eax, dword ptr fs:[00000030h] 5_2_0103625D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F58397 mov eax, dword ptr fs:[00000030h] 5_2_00F58397
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F58397 mov eax, dword ptr fs:[00000030h] 5_2_00F58397
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F58397 mov eax, dword ptr fs:[00000030h] 5_2_00F58397
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01010274 mov eax, dword ptr fs:[00000030h] 5_2_01010274
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8438F mov eax, dword ptr fs:[00000030h] 5_2_00F8438F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8438F mov eax, dword ptr fs:[00000030h] 5_2_00F8438F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5E388 mov eax, dword ptr fs:[00000030h] 5_2_00F5E388
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5E388 mov eax, dword ptr fs:[00000030h] 5_2_00F5E388
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5E388 mov eax, dword ptr fs:[00000030h] 5_2_00F5E388
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE035C mov eax, dword ptr fs:[00000030h] 5_2_00FE035C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE035C mov eax, dword ptr fs:[00000030h] 5_2_00FE035C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE035C mov eax, dword ptr fs:[00000030h] 5_2_00FE035C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE035C mov ecx, dword ptr fs:[00000030h] 5_2_00FE035C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE035C mov eax, dword ptr fs:[00000030h] 5_2_00FE035C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE035C mov eax, dword ptr fs:[00000030h] 5_2_00FE035C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE2349 mov eax, dword ptr fs:[00000030h] 5_2_00FE2349
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010362D6 mov eax, dword ptr fs:[00000030h] 5_2_010362D6
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5C310 mov ecx, dword ptr fs:[00000030h] 5_2_00F5C310
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F80310 mov ecx, dword ptr fs:[00000030h] 5_2_00F80310
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A30B mov eax, dword ptr fs:[00000030h] 5_2_00F9A30B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A30B mov eax, dword ptr fs:[00000030h] 5_2_00F9A30B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A30B mov eax, dword ptr fs:[00000030h] 5_2_00F9A30B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034500 mov eax, dword ptr fs:[00000030h] 5_2_01034500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034500 mov eax, dword ptr fs:[00000030h] 5_2_01034500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034500 mov eax, dword ptr fs:[00000030h] 5_2_01034500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034500 mov eax, dword ptr fs:[00000030h] 5_2_01034500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034500 mov eax, dword ptr fs:[00000030h] 5_2_01034500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034500 mov eax, dword ptr fs:[00000030h] 5_2_01034500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034500 mov eax, dword ptr fs:[00000030h] 5_2_01034500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F604E5 mov ecx, dword ptr fs:[00000030h] 5_2_00F604E5
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F944B0 mov ecx, dword ptr fs:[00000030h] 5_2_00F944B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEA4B0 mov eax, dword ptr fs:[00000030h] 5_2_00FEA4B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F664AB mov eax, dword ptr fs:[00000030h] 5_2_00F664AB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8A470 mov eax, dword ptr fs:[00000030h] 5_2_00F8A470
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8A470 mov eax, dword ptr fs:[00000030h] 5_2_00F8A470
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8A470 mov eax, dword ptr fs:[00000030h] 5_2_00F8A470
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEC460 mov ecx, dword ptr fs:[00000030h] 5_2_00FEC460
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8245A mov eax, dword ptr fs:[00000030h] 5_2_00F8245A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5645D mov eax, dword ptr fs:[00000030h] 5_2_00F5645D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E443 mov eax, dword ptr fs:[00000030h] 5_2_00F9E443
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A430 mov eax, dword ptr fs:[00000030h] 5_2_00F9A430
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5C427 mov eax, dword ptr fs:[00000030h] 5_2_00F5C427
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5E420 mov eax, dword ptr fs:[00000030h] 5_2_00F5E420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5E420 mov eax, dword ptr fs:[00000030h] 5_2_00F5E420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5E420 mov eax, dword ptr fs:[00000030h] 5_2_00F5E420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6420 mov eax, dword ptr fs:[00000030h] 5_2_00FE6420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6420 mov eax, dword ptr fs:[00000030h] 5_2_00FE6420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6420 mov eax, dword ptr fs:[00000030h] 5_2_00FE6420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6420 mov eax, dword ptr fs:[00000030h] 5_2_00FE6420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6420 mov eax, dword ptr fs:[00000030h] 5_2_00FE6420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6420 mov eax, dword ptr fs:[00000030h] 5_2_00FE6420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE6420 mov eax, dword ptr fs:[00000030h] 5_2_00FE6420
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F98402 mov eax, dword ptr fs:[00000030h] 5_2_00F98402
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F98402 mov eax, dword ptr fs:[00000030h] 5_2_00F98402
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F98402 mov eax, dword ptr fs:[00000030h] 5_2_00F98402
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C5ED mov eax, dword ptr fs:[00000030h] 5_2_00F9C5ED
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C5ED mov eax, dword ptr fs:[00000030h] 5_2_00F9C5ED
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F625E0 mov eax, dword ptr fs:[00000030h] 5_2_00F625E0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E5E7 mov eax, dword ptr fs:[00000030h] 5_2_00F8E5E7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F665D0 mov eax, dword ptr fs:[00000030h] 5_2_00F665D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A5D0 mov eax, dword ptr fs:[00000030h] 5_2_00F9A5D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A5D0 mov eax, dword ptr fs:[00000030h] 5_2_00F9A5D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E5CF mov eax, dword ptr fs:[00000030h] 5_2_00F9E5CF
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E5CF mov eax, dword ptr fs:[00000030h] 5_2_00F9E5CF
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F845B1 mov eax, dword ptr fs:[00000030h] 5_2_00F845B1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F845B1 mov eax, dword ptr fs:[00000030h] 5_2_00F845B1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101A456 mov eax, dword ptr fs:[00000030h] 5_2_0101A456
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE05A7 mov eax, dword ptr fs:[00000030h] 5_2_00FE05A7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE05A7 mov eax, dword ptr fs:[00000030h] 5_2_00FE05A7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE05A7 mov eax, dword ptr fs:[00000030h] 5_2_00FE05A7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9E59C mov eax, dword ptr fs:[00000030h] 5_2_00F9E59C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F94588 mov eax, dword ptr fs:[00000030h] 5_2_00F94588
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F62582 mov eax, dword ptr fs:[00000030h] 5_2_00F62582
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F62582 mov ecx, dword ptr fs:[00000030h] 5_2_00F62582
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9656A mov eax, dword ptr fs:[00000030h] 5_2_00F9656A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9656A mov eax, dword ptr fs:[00000030h] 5_2_00F9656A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9656A mov eax, dword ptr fs:[00000030h] 5_2_00F9656A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0101A49A mov eax, dword ptr fs:[00000030h] 5_2_0101A49A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68550 mov eax, dword ptr fs:[00000030h] 5_2_00F68550
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68550 mov eax, dword ptr fs:[00000030h] 5_2_00F68550
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70535 mov eax, dword ptr fs:[00000030h] 5_2_00F70535
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70535 mov eax, dword ptr fs:[00000030h] 5_2_00F70535
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70535 mov eax, dword ptr fs:[00000030h] 5_2_00F70535
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70535 mov eax, dword ptr fs:[00000030h] 5_2_00F70535
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70535 mov eax, dword ptr fs:[00000030h] 5_2_00F70535
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70535 mov eax, dword ptr fs:[00000030h] 5_2_00F70535
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E53E mov eax, dword ptr fs:[00000030h] 5_2_00F8E53E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E53E mov eax, dword ptr fs:[00000030h] 5_2_00F8E53E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E53E mov eax, dword ptr fs:[00000030h] 5_2_00F8E53E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E53E mov eax, dword ptr fs:[00000030h] 5_2_00F8E53E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E53E mov eax, dword ptr fs:[00000030h] 5_2_00F8E53E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF6500 mov eax, dword ptr fs:[00000030h] 5_2_00FF6500
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE6F2 mov eax, dword ptr fs:[00000030h] 5_2_00FDE6F2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE6F2 mov eax, dword ptr fs:[00000030h] 5_2_00FDE6F2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE6F2 mov eax, dword ptr fs:[00000030h] 5_2_00FDE6F2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE6F2 mov eax, dword ptr fs:[00000030h] 5_2_00FDE6F2
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE06F1 mov eax, dword ptr fs:[00000030h] 5_2_00FE06F1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE06F1 mov eax, dword ptr fs:[00000030h] 5_2_00FE06F1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A6C7 mov ebx, dword ptr fs:[00000030h] 5_2_00F9A6C7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A6C7 mov eax, dword ptr fs:[00000030h] 5_2_00F9A6C7
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F966B0 mov eax, dword ptr fs:[00000030h] 5_2_00F966B0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C6A6 mov eax, dword ptr fs:[00000030h] 5_2_00F9C6A6
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F64690 mov eax, dword ptr fs:[00000030h] 5_2_00F64690
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F64690 mov eax, dword ptr fs:[00000030h] 5_2_00F64690
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F92674 mov eax, dword ptr fs:[00000030h] 5_2_00F92674
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100678E mov eax, dword ptr fs:[00000030h] 5_2_0100678E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A660 mov eax, dword ptr fs:[00000030h] 5_2_00F9A660
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A660 mov eax, dword ptr fs:[00000030h] 5_2_00F9A660
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010147A0 mov eax, dword ptr fs:[00000030h] 5_2_010147A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7C640 mov eax, dword ptr fs:[00000030h] 5_2_00F7C640
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7E627 mov eax, dword ptr fs:[00000030h] 5_2_00F7E627
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F96620 mov eax, dword ptr fs:[00000030h] 5_2_00F96620
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F98620 mov eax, dword ptr fs:[00000030h] 5_2_00F98620
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6262C mov eax, dword ptr fs:[00000030h] 5_2_00F6262C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2619 mov eax, dword ptr fs:[00000030h] 5_2_00FA2619
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE609 mov eax, dword ptr fs:[00000030h] 5_2_00FDE609
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7260B mov eax, dword ptr fs:[00000030h] 5_2_00F7260B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7260B mov eax, dword ptr fs:[00000030h] 5_2_00F7260B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7260B mov eax, dword ptr fs:[00000030h] 5_2_00F7260B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7260B mov eax, dword ptr fs:[00000030h] 5_2_00F7260B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7260B mov eax, dword ptr fs:[00000030h] 5_2_00F7260B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7260B mov eax, dword ptr fs:[00000030h] 5_2_00F7260B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F7260B mov eax, dword ptr fs:[00000030h] 5_2_00F7260B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F647FB mov eax, dword ptr fs:[00000030h] 5_2_00F647FB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F647FB mov eax, dword ptr fs:[00000030h] 5_2_00F647FB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F827ED mov eax, dword ptr fs:[00000030h] 5_2_00F827ED
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F827ED mov eax, dword ptr fs:[00000030h] 5_2_00F827ED
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F827ED mov eax, dword ptr fs:[00000030h] 5_2_00F827ED
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEE7E1 mov eax, dword ptr fs:[00000030h] 5_2_00FEE7E1
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6C7C0 mov eax, dword ptr fs:[00000030h] 5_2_00F6C7C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE07C3 mov eax, dword ptr fs:[00000030h] 5_2_00FE07C3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F607AF mov eax, dword ptr fs:[00000030h] 5_2_00F607AF
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102866E mov eax, dword ptr fs:[00000030h] 5_2_0102866E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102866E mov eax, dword ptr fs:[00000030h] 5_2_0102866E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68770 mov eax, dword ptr fs:[00000030h] 5_2_00F68770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70770 mov eax, dword ptr fs:[00000030h] 5_2_00F70770
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEE75D mov eax, dword ptr fs:[00000030h] 5_2_00FEE75D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60750 mov eax, dword ptr fs:[00000030h] 5_2_00F60750
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2750 mov eax, dword ptr fs:[00000030h] 5_2_00FA2750
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA2750 mov eax, dword ptr fs:[00000030h] 5_2_00FA2750
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE4755 mov eax, dword ptr fs:[00000030h] 5_2_00FE4755
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9674D mov esi, dword ptr fs:[00000030h] 5_2_00F9674D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9674D mov eax, dword ptr fs:[00000030h] 5_2_00F9674D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9674D mov eax, dword ptr fs:[00000030h] 5_2_00F9674D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9273C mov eax, dword ptr fs:[00000030h] 5_2_00F9273C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9273C mov ecx, dword ptr fs:[00000030h] 5_2_00F9273C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9273C mov eax, dword ptr fs:[00000030h] 5_2_00F9273C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDC730 mov eax, dword ptr fs:[00000030h] 5_2_00FDC730
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C720 mov eax, dword ptr fs:[00000030h] 5_2_00F9C720
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C720 mov eax, dword ptr fs:[00000030h] 5_2_00F9C720
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60710 mov eax, dword ptr fs:[00000030h] 5_2_00F60710
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F90710 mov eax, dword ptr fs:[00000030h] 5_2_00F90710
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C700 mov eax, dword ptr fs:[00000030h] 5_2_00F9C700
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C8F9 mov eax, dword ptr fs:[00000030h] 5_2_00F9C8F9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9C8F9 mov eax, dword ptr fs:[00000030h] 5_2_00F9C8F9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8E8C0 mov eax, dword ptr fs:[00000030h] 5_2_00F8E8C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034940 mov eax, dword ptr fs:[00000030h] 5_2_01034940
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEC89D mov eax, dword ptr fs:[00000030h] 5_2_00FEC89D
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60887 mov eax, dword ptr fs:[00000030h] 5_2_00F60887
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01004978 mov eax, dword ptr fs:[00000030h] 5_2_01004978
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01004978 mov eax, dword ptr fs:[00000030h] 5_2_01004978
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEE872 mov eax, dword ptr fs:[00000030h] 5_2_00FEE872
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEE872 mov eax, dword ptr fs:[00000030h] 5_2_00FEE872
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF6870 mov eax, dword ptr fs:[00000030h] 5_2_00FF6870
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF6870 mov eax, dword ptr fs:[00000030h] 5_2_00FF6870
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F90854 mov eax, dword ptr fs:[00000030h] 5_2_00F90854
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F64859 mov eax, dword ptr fs:[00000030h] 5_2_00F64859
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F64859 mov eax, dword ptr fs:[00000030h] 5_2_00F64859
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F72840 mov ecx, dword ptr fs:[00000030h] 5_2_00F72840
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9A830 mov eax, dword ptr fs:[00000030h] 5_2_00F9A830
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F82835 mov eax, dword ptr fs:[00000030h] 5_2_00F82835
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F82835 mov eax, dword ptr fs:[00000030h] 5_2_00F82835
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F82835 mov eax, dword ptr fs:[00000030h] 5_2_00F82835
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F82835 mov ecx, dword ptr fs:[00000030h] 5_2_00F82835
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F82835 mov eax, dword ptr fs:[00000030h] 5_2_00F82835
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F82835 mov eax, dword ptr fs:[00000030h] 5_2_00F82835
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102A9D3 mov eax, dword ptr fs:[00000030h] 5_2_0102A9D3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEC810 mov eax, dword ptr fs:[00000030h] 5_2_00FEC810
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F929F9 mov eax, dword ptr fs:[00000030h] 5_2_00F929F9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F929F9 mov eax, dword ptr fs:[00000030h] 5_2_00F929F9
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEE9E0 mov eax, dword ptr fs:[00000030h] 5_2_00FEE9E0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A9D0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A9D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A9D0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A9D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A9D0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A9D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A9D0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A9D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A9D0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A9D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6A9D0 mov eax, dword ptr fs:[00000030h] 5_2_00F6A9D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F949D0 mov eax, dword ptr fs:[00000030h] 5_2_00F949D0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100483A mov eax, dword ptr fs:[00000030h] 5_2_0100483A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100483A mov eax, dword ptr fs:[00000030h] 5_2_0100483A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF69C0 mov eax, dword ptr fs:[00000030h] 5_2_00FF69C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE89B3 mov esi, dword ptr fs:[00000030h] 5_2_00FE89B3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE89B3 mov eax, dword ptr fs:[00000030h] 5_2_00FE89B3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE89B3 mov eax, dword ptr fs:[00000030h] 5_2_00FE89B3
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F729A0 mov eax, dword ptr fs:[00000030h] 5_2_00F729A0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F609AD mov eax, dword ptr fs:[00000030h] 5_2_00F609AD
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F609AD mov eax, dword ptr fs:[00000030h] 5_2_00F609AD
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEC97C mov eax, dword ptr fs:[00000030h] 5_2_00FEC97C
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA096E mov eax, dword ptr fs:[00000030h] 5_2_00FA096E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA096E mov edx, dword ptr fs:[00000030h] 5_2_00FA096E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FA096E mov eax, dword ptr fs:[00000030h] 5_2_00FA096E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F86962 mov eax, dword ptr fs:[00000030h] 5_2_00F86962
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F86962 mov eax, dword ptr fs:[00000030h] 5_2_00F86962
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F86962 mov eax, dword ptr fs:[00000030h] 5_2_00F86962
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE0946 mov eax, dword ptr fs:[00000030h] 5_2_00FE0946
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_010308C0 mov eax, dword ptr fs:[00000030h] 5_2_010308C0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FE892A mov eax, dword ptr fs:[00000030h] 5_2_00FE892A
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF892B mov eax, dword ptr fs:[00000030h] 5_2_00FF892B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102A8E4 mov eax, dword ptr fs:[00000030h] 5_2_0102A8E4
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FEC912 mov eax, dword ptr fs:[00000030h] 5_2_00FEC912
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F58918 mov eax, dword ptr fs:[00000030h] 5_2_00F58918
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F58918 mov eax, dword ptr fs:[00000030h] 5_2_00F58918
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE908 mov eax, dword ptr fs:[00000030h] 5_2_00FDE908
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDE908 mov eax, dword ptr fs:[00000030h] 5_2_00FDE908
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034B00 mov eax, dword ptr fs:[00000030h] 5_2_01034B00
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9AAEE mov eax, dword ptr fs:[00000030h] 5_2_00F9AAEE
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9AAEE mov eax, dword ptr fs:[00000030h] 5_2_00F9AAEE
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60AD0 mov eax, dword ptr fs:[00000030h] 5_2_00F60AD0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F94AD0 mov eax, dword ptr fs:[00000030h] 5_2_00F94AD0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F94AD0 mov eax, dword ptr fs:[00000030h] 5_2_00F94AD0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01028B28 mov eax, dword ptr fs:[00000030h] 5_2_01028B28
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01028B28 mov eax, dword ptr fs:[00000030h] 5_2_01028B28
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB6ACC mov eax, dword ptr fs:[00000030h] 5_2_00FB6ACC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB6ACC mov eax, dword ptr fs:[00000030h] 5_2_00FB6ACC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB6ACC mov eax, dword ptr fs:[00000030h] 5_2_00FB6ACC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0102AB40 mov eax, dword ptr fs:[00000030h] 5_2_0102AB40
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01008B42 mov eax, dword ptr fs:[00000030h] 5_2_01008B42
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01014B4B mov eax, dword ptr fs:[00000030h] 5_2_01014B4B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01014B4B mov eax, dword ptr fs:[00000030h] 5_2_01014B4B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100EB50 mov eax, dword ptr fs:[00000030h] 5_2_0100EB50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01032B57 mov eax, dword ptr fs:[00000030h] 5_2_01032B57
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01032B57 mov eax, dword ptr fs:[00000030h] 5_2_01032B57
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01032B57 mov eax, dword ptr fs:[00000030h] 5_2_01032B57
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01032B57 mov eax, dword ptr fs:[00000030h] 5_2_01032B57
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68AA0 mov eax, dword ptr fs:[00000030h] 5_2_00F68AA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68AA0 mov eax, dword ptr fs:[00000030h] 5_2_00F68AA0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FB6AA4 mov eax, dword ptr fs:[00000030h] 5_2_00FB6AA4
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F98A90 mov edx, dword ptr fs:[00000030h] 5_2_00F98A90
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 5_2_00F6EA80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDCA72 mov eax, dword ptr fs:[00000030h] 5_2_00FDCA72
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FDCA72 mov eax, dword ptr fs:[00000030h] 5_2_00FDCA72
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9CA6F mov eax, dword ptr fs:[00000030h] 5_2_00F9CA6F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9CA6F mov eax, dword ptr fs:[00000030h] 5_2_00F9CA6F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9CA6F mov eax, dword ptr fs:[00000030h] 5_2_00F9CA6F
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66A50 mov eax, dword ptr fs:[00000030h] 5_2_00F66A50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66A50 mov eax, dword ptr fs:[00000030h] 5_2_00F66A50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66A50 mov eax, dword ptr fs:[00000030h] 5_2_00F66A50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66A50 mov eax, dword ptr fs:[00000030h] 5_2_00F66A50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66A50 mov eax, dword ptr fs:[00000030h] 5_2_00F66A50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66A50 mov eax, dword ptr fs:[00000030h] 5_2_00F66A50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F66A50 mov eax, dword ptr fs:[00000030h] 5_2_00F66A50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70A5B mov eax, dword ptr fs:[00000030h] 5_2_00F70A5B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70A5B mov eax, dword ptr fs:[00000030h] 5_2_00F70A5B
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01014BB0 mov eax, dword ptr fs:[00000030h] 5_2_01014BB0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01014BB0 mov eax, dword ptr fs:[00000030h] 5_2_01014BB0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9CA38 mov eax, dword ptr fs:[00000030h] 5_2_00F9CA38
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F84A35 mov eax, dword ptr fs:[00000030h] 5_2_00F84A35
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F84A35 mov eax, dword ptr fs:[00000030h] 5_2_00F84A35
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100EBD0 mov eax, dword ptr fs:[00000030h] 5_2_0100EBD0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8EA2E mov eax, dword ptr fs:[00000030h] 5_2_00F8EA2E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F9CA24 mov eax, dword ptr fs:[00000030h] 5_2_00F9CA24
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FECA11 mov eax, dword ptr fs:[00000030h] 5_2_00FECA11
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F8EBFC mov eax, dword ptr fs:[00000030h] 5_2_00F8EBFC
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68BF0 mov eax, dword ptr fs:[00000030h] 5_2_00F68BF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68BF0 mov eax, dword ptr fs:[00000030h] 5_2_00F68BF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F68BF0 mov eax, dword ptr fs:[00000030h] 5_2_00F68BF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FECBF0 mov eax, dword ptr fs:[00000030h] 5_2_00FECBF0
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F80BCB mov eax, dword ptr fs:[00000030h] 5_2_00F80BCB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F80BCB mov eax, dword ptr fs:[00000030h] 5_2_00F80BCB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F80BCB mov eax, dword ptr fs:[00000030h] 5_2_00F80BCB
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60BCD mov eax, dword ptr fs:[00000030h] 5_2_00F60BCD
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60BCD mov eax, dword ptr fs:[00000030h] 5_2_00F60BCD
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F60BCD mov eax, dword ptr fs:[00000030h] 5_2_00F60BCD
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70BBE mov eax, dword ptr fs:[00000030h] 5_2_00F70BBE
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F70BBE mov eax, dword ptr fs:[00000030h] 5_2_00F70BBE
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_0100EA60 mov eax, dword ptr fs:[00000030h] 5_2_0100EA60
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_01034A80 mov eax, dword ptr fs:[00000030h] 5_2_01034A80
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F5CB7E mov eax, dword ptr fs:[00000030h] 5_2_00F5CB7E
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00F58B50 mov eax, dword ptr fs:[00000030h] 5_2_00F58B50
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF6B40 mov eax, dword ptr fs:[00000030h] 5_2_00FF6B40
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Code function: 5_2_00FF6B40 mov eax, dword ptr fs:[00000030h] 5_2_00FF6B40
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe"
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe" Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Process created: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe "C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Queries volume information: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\906982022050120220531MES_S Quote.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2299717834.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2299413776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.906982022050120220531MES_S Quote.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2299717834.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2299413776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519323 Sample: 906982022050120220531MES_S ... Startdate: 26/09/2024 Architecture: WINDOWS Score: 96 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected FormBook 2->24 26 6 other signatures 2->26 7 906982022050120220531MES_S Quote.exe 4 2->7         started        process3 file4 18 906982022050120220531MES_S Quote.exe.log, ASCII 7->18 dropped 28 Adds a directory exclusion to Windows Defender 7->28 11 powershell.exe 23 7->11         started        14 906982022050120220531MES_S Quote.exe 7->14         started        signatures5 process6 signatures7 30 Loading BitLocker PowerShell Module 11->30 16 conhost.exe 11->16         started        process8
No contacted IP infos