Windows Analysis Report
Quote GVSE24-00815.exe

Overview

General Information

Sample name: Quote GVSE24-00815.exe
Analysis ID: 1561754
MD5: d04fe8d654f371aba620596e67963714
SHA1: 7e1ff1be9962bc31859cfc22757aad3df52ea193
SHA256: 9c9405332a044a5f3222dfc59bc8b36a4cd6fc4542c8651667aaf2101bb54ea8
Tags: exeuser-abuse_ch
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "servertwo@zqamcx.com", "Password": "Anambraeast@"}
Multi AV Scanner detection for domain / URL
Source: mail.zqamcx.com Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: Quote GVSE24-00815.exe ReversingLabs: Detection: 73%
Source: Quote GVSE24-00815.exe Virustotal: Detection: 74% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Quote GVSE24-00815.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Quote GVSE24-00815.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Quote GVSE24-00815.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49737 -> 78.110.166.82:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 78.110.166.82 78.110.166.82
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49737 -> 78.110.166.82:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: mail.zqamcx.com
Source: Quote GVSE24-00815.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Quote GVSE24-00815.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.zqamcx.com
Source: Quote GVSE24-00815.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4143010272.00000000068D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0#
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4143010272.00000000068D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org0#
Source: Quote GVSE24-00815.exe, 00000000.00000002.1707813519.000000000279A000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quote GVSE24-00815.exe String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: Quote GVSE24-00815.exe String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: Quote GVSE24-00815.exe String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://zqamcx.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Quote GVSE24-00815.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, n00.cs .Net Code: O5ZNXKF
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, n00.cs .Net Code: O5ZNXKF
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Quote GVSE24-00815.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_00E3D51C 0_2_00E3D51C
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CA6BE0 0_2_04CA6BE0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CA0040 0_2_04CA0040
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CA003F 0_2_04CA003F
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CA6BDA 0_2_04CA6BDA
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CA6BD1 0_2_04CA6BD1
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E5AF68 0_2_06E5AF68
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E56ED0 0_2_06E56ED0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E54FA7 0_2_06E54FA7
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E54FB8 0_2_06E54FB8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E56A88 0_2_06E56A88
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E56A98 0_2_06E56A98
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E553F0 0_2_06E553F0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E54B80 0_2_06E54B80
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D0E5A8 4_2_02D0E5A8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D04BF0 4_2_02D04BF0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D0EE21 4_2_02D0EE21
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D03FD8 4_2_02D03FD8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D0B318 4_2_02D0B318
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D04320 4_2_02D04320
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_069C2B54 4_2_069C2B54
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_069C2168 4_2_069C2168
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_069C2163 4_2_069C2163
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_069C2B48 4_2_069C2B48
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_069C3266 4_2_069C3266
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A25680 4_2_06A25680
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A266C8 4_2_06A266C8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A2B2F9 4_2_06A2B2F9
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A2C240 4_2_06A2C240
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A23148 4_2_06A23148
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A27E50 4_2_06A27E50
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A27770 4_2_06A27770
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A2E458 4_2_06A2E458
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A20040 4_2_06A20040
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A25DBB 4_2_06A25DBB
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A20007 4_2_06A20007
PE / OLE file has an invalid certificate
Source: Quote GVSE24-00815.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Quote GVSE24-00815.exe, 00000000.00000002.1707813519.00000000027A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1714917912.0000000007210000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameOwfV.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1707813519.000000000279A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamee33f29a3-d982-4bbb-b145-e4c33ad27d5d.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713162820.0000000004F60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1706918857.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamee33f29a3-d982-4bbb-b145-e4c33ad27d5d.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamee33f29a3-d982-4bbb-b145-e4c33ad27d5d.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137861344.0000000000F39000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe Binary or memory string: OriginalFilenameOwfV.exe4 vs Quote GVSE24-00815.exe
Uses 32bit PE files
Source: Quote GVSE24-00815.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Quote GVSE24-00815.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, NpXw3kw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, NpXw3kw.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, fpnV0Qjz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, fpnV0Qjz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, UjM08uKG4ajvp16R40.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, UjM08uKG4ajvp16R40.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs Security API names: _0020.SetAccessControl
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs Security API names: _0020.AddAccessRule
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs Security API names: _0020.SetAccessControl
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/6@3/2
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote GVSE24-00815.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjgib2nb.30d.ps1 Jump to behavior
Source: Quote GVSE24-00815.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Quote GVSE24-00815.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);
Source: Quote GVSE24-00815.exe ReversingLabs: Detection: 73%
Source: Quote GVSE24-00815.exe Virustotal: Detection: 74%
Source: unknown Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Quote GVSE24-00815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Quote GVSE24-00815.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Quote GVSE24-00815.exe, InnerForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs .Net Code: CVZ6Zttube System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs .Net Code: CVZ6Zttube System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CAA05B push es; retf 0_2_04CAA062
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CAA058 push es; retf 0_2_04CAA05A
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CA9ED7 push es; retf 0_2_04CA9EDA
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_04CA9E68 push es; retf 0_2_04CA9E72
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 0_2_06E5AF68 pushfd ; retn 5504h 0_2_06E5B696
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D00610 push edx; ret 4_2_02D0061A
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D0061B push edx; ret 4_2_02D0061A
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D00828 push edx; ret 4_2_02D00846
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D0F9B8 push edx; ret 4_2_02D0F9C6
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_069C7782 push es; ret 4_2_069C7790
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_06A24240 pushfd ; ret 4_2_06A24285
Source: Quote GVSE24-00815.exe Static PE information: section name: .text entropy: 7.52645497703216
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, udp8Y54h5tL0mZ8Mad.cs High entropy of concatenated method names: 'xo53mFR5Pb', 'Dl13xRMVb9', 'Aiu31rKNWY', 'CaZ3tgmlia', 'MIJ3BiytcU', 'DgZ3n3ompG', 'wt232G3qko', 'spd3sNyUyZ', 'V493vYIhO4', 'nl93M2bppV'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, wKjoyMa13ZFUm17qsv.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'JB3G4aRqMH', 'lDFGcfxEnT', 'ivrGzpxNv3', 'WaE9UJD666', 'nna9QuYksT', 'SHv9GlqZ1d', 'cpS993OTdQ', 'u79KBkcchGK97Or60Bo'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, eDGCCDzpNSnLU0NOIS.cs High entropy of concatenated method names: 'QsiyT9NHki', 'ziMyKBAVuD', 'HFyyuc9VMd', 'hQsymKSObc', 'aJByxUoYU7', 'wdgytfcT9s', 'QL0yB3L1Bb', 'TWXyYCOOfn', 'nWxyjwdoEb', 'r9uyFHKL9n'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, nrLAxkVO6F2gBrQSmN.cs High entropy of concatenated method names: 'Dispose', 'bnfQ4KQPt3', 'TCBGx687bB', 'NMBvt5KyGc', 'jXJQcONtUx', 'I86QzibNLU', 'ProcessDialogKey', 'jAqGUdp8Y5', 'S5tGQL0mZ8', 'OadGG8sAfy'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, nsAfyYcOq9jOlSjV4n.cs High entropy of concatenated method names: 'ReLyaLkipa', 'KAlyRpcIXU', 'RjdyIoyZWO', 'BNqyiTreMA', 'xumy3la7xW', 'BOYykDFbPT', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, oNX8UtW5SQnfKQPt3I.cs High entropy of concatenated method names: 'wAi3L3VHvJ', 'bbc3DFxHyT', 'i2C33kMEMJ', 'cC83lPZvLG', 'kH33gIfDZk', 'u7I3YHX1oD', 'Dispose', 'LkL0CYEyED', 'oE60Vl0Knd', 'J9Z0aqADwb'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, CYyUhDHuwnyg49OWYm.cs High entropy of concatenated method names: 'VxcDJlxpP7', 'xMFD7h8b70', 'ToString', 'KlZDCkIhyO', 'XeSDVSOFJc', 'f06Dai8416', 'Mu8DRKcbWW', 'ra9DI5wi1l', 'uvGDiwvFkC', 'h00DkYZpiV'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, yJ3SUFudKvLKAR53HS.cs High entropy of concatenated method names: 'dEIaP0pJZ0', 'jQqaT55VeD', 'F1oaKOKLeo', 'pykauXSrbf', 'DyqaLT9sA8', 'YKKablUXcb', 'TdPaDhsorc', 'f5Sa0jZrAf', 'Ct3a3Bt4K4', 'CJLayYrrnv'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xewm1LfuAOibrAUReG.cs High entropy of concatenated method names: 'Fb7DplFtte', 'AKHDcfDift', 'RNt0UBoHcN', 'V9F0QTnVUk', 'nVyD5eXohK', 'Y9EDSUV1rw', 'qZBDdcCrm4', 'PwUDejZ7eE', 'mesDh2O0Zh', 'SZqDOuf8sm'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, Qp49reO0iYlVrX1hL0.cs High entropy of concatenated method names: 'ToString', 'Qk4b58HrGt', 'b6abxVNLZs', 'LRSb1EjhUO', 'CoUbtbOFuN', 'X2SbBUEmxE', 'a4PbnEe9up', 'SeUb2YNxqC', 'PtZbsf1nFb', 'kS5bvAW5Lj'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, cxIuTXvufT3YjfmZai.cs High entropy of concatenated method names: 'bWEijKHDVE', 'xs5iFcjDTa', 'HCriZ4qt7H', 'VA9iPDxI05', 'tx1irvc88c', 'jH6iTUZGXp', 'vQSiNDN6CH', 'f63iKvKKHb', 'xGKiu0cbWf', 'jBwiAaNP3C'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, p6cOn4QUBKJCgoeIhgy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't86y5udrZa', 'w9IyS13XoS', 'OA9ydxH77G', 'TmKyeD8M25', 'sxxyhE8WOy', 'kU2yOim9mF', 'r3dyHpanPw'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, bK4b3KAvZGw9eMXbdL.cs High entropy of concatenated method names: 'YpJRrcd4GY', 'RQ7RN7hcHR', 'NyHa1nqHUp', 'fHRatAFDfy', 'TKraBULGhK', 'HBCanIndOn', 'y9ra2JKRNb', 'RUXask2ApG', 'zwyavcPviJ', 'jgNaMTHdcb'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, Qlb0EcQG6HwJhj28G0A.cs High entropy of concatenated method names: 'ToString', 'L4SlKLMYie', 'oVUlu27DGe', 'BaRlALOFbo', 'b2WlmNVPEv', 'Hemlxp5rUS', 'utHl1rljJ8', 'LwqltXxMPH', 'PeTQASNmpOlUwN9cZI3', 'yc6TtRNs932U9Xi96LT'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, GaO88nQQyuNgJMDLivT.cs High entropy of concatenated method names: 'USTycolJgX', 'VNsyz7v9J4', 'BMXlUMxTob', 'snClQL8bMn', 'WSUlG6wtni', 'awGl9twXtW', 'Iy6l6x3nWw', 'SGSlwDr7Pm', 'eEllCgy6Qn', 'jDylVUnImd'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, XlB4bpGkjFAiOUtBKw.cs High entropy of concatenated method names: 'fkmZ1S6X1', 'uLZP8xli0', 'PtdTBuhEC', 'zCxNCt6Gb', 'fxfuTUioG', 'zunAlIZOQ', 'qdAFn5sGP79qtQGeOI', 'jiwXfa9uQgjy1ChERP', 'qXr08JABP', 'NlKyIcG21'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, aqWHQt2o2GTW94fMH6.cs High entropy of concatenated method names: 'FEiiC9BgTS', 'hhsia0VJeq', 'EbqiICyYST', 'JqcIciBaNm', 'G5BIzGd5Fd', 'sbgiUbtJXk', 'GfViQT7ccy', 'NEviGUbAfO', 'RXui9uZEwJ', 'RYSi6jwwAj'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, mVrobKdKMaMT4VBm14.cs High entropy of concatenated method names: 'iM28KdCKKW', 'oa08uv7eUt', 'oih8m9F332', 'n6k8xX72Mu', 'ydC8t4DvNl', 'Cj48BZ3OqH', 'CPK82ttQ5M', 'eio8sUVw4G', 'kQT8MAdBN0', 'Xlo85xYmdR'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, S3SW7Nm5yZfAI7L9f4.cs High entropy of concatenated method names: 'a7DIwgSEJb', 'sdyIV16KIl', 'FIUIR8r8Qa', 'De0Ii9CEg7', 'BeZIkQIMlL', 'iLXRExSCIU', 'RotRf0II9v', 'IqWRWQaJ4N', 'NbARpvdTjn', 'L6UR4GRTpc'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, RZR926Q6EssYSwiVRUZ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oQmq3rrYCt', 'FXDqyRKprj', 'ptHqlfpm0P', 'kLRqqHZjXY', 'tlOqg45ZOR', 'A3ZqXVI5Ho', 'HGiqYkE6gT'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs High entropy of concatenated method names: 'fJh9wZ4UQZ', 'ECb9Cu9m0R', 'QmA9VsSZ5l', 'b4G9alyvVG', 'SlP9RWgSB6', 'Yo49I31oBH', 'nkh9iiIphg', 'OBQ9kZgp4O', 'bC59oHNbj3', 'jgM9JSA0NY'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, UjM08uKG4ajvp16R40.cs High entropy of concatenated method names: 'WV8Veu8y1s', 'rF5Vheso9s', 'kLTVODKD55', 'KTwVHprYHq', 'e6iVE2obgH', 'Hw2VfDSQ6x', 'O9FVWcGG7Z', 'OZfVpAwcm6', 'NJdV4gj3Bu', 'FJMVckNOMe'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, Tj4hrN6Og75w16Grr1.cs High entropy of concatenated method names: 'W9EQijM08u', 'b4aQkjvp16', 'ydKQJvLKAR', 'O3HQ7SQK4b', 'NXbQLdLO3S', 'W7NQb5yZfA', 'Bw0vOUqBHw97S38uAc', 'e0t0XPwWN6xxjDXGKs', 'oJ4QQIG98E', 'cuKQ9RKkIo'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, udp8Y54h5tL0mZ8Mad.cs High entropy of concatenated method names: 'xo53mFR5Pb', 'Dl13xRMVb9', 'Aiu31rKNWY', 'CaZ3tgmlia', 'MIJ3BiytcU', 'DgZ3n3ompG', 'wt232G3qko', 'spd3sNyUyZ', 'V493vYIhO4', 'nl93M2bppV'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, wKjoyMa13ZFUm17qsv.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'JB3G4aRqMH', 'lDFGcfxEnT', 'ivrGzpxNv3', 'WaE9UJD666', 'nna9QuYksT', 'SHv9GlqZ1d', 'cpS993OTdQ', 'u79KBkcchGK97Or60Bo'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, eDGCCDzpNSnLU0NOIS.cs High entropy of concatenated method names: 'QsiyT9NHki', 'ziMyKBAVuD', 'HFyyuc9VMd', 'hQsymKSObc', 'aJByxUoYU7', 'wdgytfcT9s', 'QL0yB3L1Bb', 'TWXyYCOOfn', 'nWxyjwdoEb', 'r9uyFHKL9n'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, nrLAxkVO6F2gBrQSmN.cs High entropy of concatenated method names: 'Dispose', 'bnfQ4KQPt3', 'TCBGx687bB', 'NMBvt5KyGc', 'jXJQcONtUx', 'I86QzibNLU', 'ProcessDialogKey', 'jAqGUdp8Y5', 'S5tGQL0mZ8', 'OadGG8sAfy'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, nsAfyYcOq9jOlSjV4n.cs High entropy of concatenated method names: 'ReLyaLkipa', 'KAlyRpcIXU', 'RjdyIoyZWO', 'BNqyiTreMA', 'xumy3la7xW', 'BOYykDFbPT', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, oNX8UtW5SQnfKQPt3I.cs High entropy of concatenated method names: 'wAi3L3VHvJ', 'bbc3DFxHyT', 'i2C33kMEMJ', 'cC83lPZvLG', 'kH33gIfDZk', 'u7I3YHX1oD', 'Dispose', 'LkL0CYEyED', 'oE60Vl0Knd', 'J9Z0aqADwb'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, CYyUhDHuwnyg49OWYm.cs High entropy of concatenated method names: 'VxcDJlxpP7', 'xMFD7h8b70', 'ToString', 'KlZDCkIhyO', 'XeSDVSOFJc', 'f06Dai8416', 'Mu8DRKcbWW', 'ra9DI5wi1l', 'uvGDiwvFkC', 'h00DkYZpiV'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, yJ3SUFudKvLKAR53HS.cs High entropy of concatenated method names: 'dEIaP0pJZ0', 'jQqaT55VeD', 'F1oaKOKLeo', 'pykauXSrbf', 'DyqaLT9sA8', 'YKKablUXcb', 'TdPaDhsorc', 'f5Sa0jZrAf', 'Ct3a3Bt4K4', 'CJLayYrrnv'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xewm1LfuAOibrAUReG.cs High entropy of concatenated method names: 'Fb7DplFtte', 'AKHDcfDift', 'RNt0UBoHcN', 'V9F0QTnVUk', 'nVyD5eXohK', 'Y9EDSUV1rw', 'qZBDdcCrm4', 'PwUDejZ7eE', 'mesDh2O0Zh', 'SZqDOuf8sm'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, Qp49reO0iYlVrX1hL0.cs High entropy of concatenated method names: 'ToString', 'Qk4b58HrGt', 'b6abxVNLZs', 'LRSb1EjhUO', 'CoUbtbOFuN', 'X2SbBUEmxE', 'a4PbnEe9up', 'SeUb2YNxqC', 'PtZbsf1nFb', 'kS5bvAW5Lj'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, cxIuTXvufT3YjfmZai.cs High entropy of concatenated method names: 'bWEijKHDVE', 'xs5iFcjDTa', 'HCriZ4qt7H', 'VA9iPDxI05', 'tx1irvc88c', 'jH6iTUZGXp', 'vQSiNDN6CH', 'f63iKvKKHb', 'xGKiu0cbWf', 'jBwiAaNP3C'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, p6cOn4QUBKJCgoeIhgy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't86y5udrZa', 'w9IyS13XoS', 'OA9ydxH77G', 'TmKyeD8M25', 'sxxyhE8WOy', 'kU2yOim9mF', 'r3dyHpanPw'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, bK4b3KAvZGw9eMXbdL.cs High entropy of concatenated method names: 'YpJRrcd4GY', 'RQ7RN7hcHR', 'NyHa1nqHUp', 'fHRatAFDfy', 'TKraBULGhK', 'HBCanIndOn', 'y9ra2JKRNb', 'RUXask2ApG', 'zwyavcPviJ', 'jgNaMTHdcb'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, Qlb0EcQG6HwJhj28G0A.cs High entropy of concatenated method names: 'ToString', 'L4SlKLMYie', 'oVUlu27DGe', 'BaRlALOFbo', 'b2WlmNVPEv', 'Hemlxp5rUS', 'utHl1rljJ8', 'LwqltXxMPH', 'PeTQASNmpOlUwN9cZI3', 'yc6TtRNs932U9Xi96LT'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, GaO88nQQyuNgJMDLivT.cs High entropy of concatenated method names: 'USTycolJgX', 'VNsyz7v9J4', 'BMXlUMxTob', 'snClQL8bMn', 'WSUlG6wtni', 'awGl9twXtW', 'Iy6l6x3nWw', 'SGSlwDr7Pm', 'eEllCgy6Qn', 'jDylVUnImd'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, XlB4bpGkjFAiOUtBKw.cs High entropy of concatenated method names: 'fkmZ1S6X1', 'uLZP8xli0', 'PtdTBuhEC', 'zCxNCt6Gb', 'fxfuTUioG', 'zunAlIZOQ', 'qdAFn5sGP79qtQGeOI', 'jiwXfa9uQgjy1ChERP', 'qXr08JABP', 'NlKyIcG21'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, aqWHQt2o2GTW94fMH6.cs High entropy of concatenated method names: 'FEiiC9BgTS', 'hhsia0VJeq', 'EbqiICyYST', 'JqcIciBaNm', 'G5BIzGd5Fd', 'sbgiUbtJXk', 'GfViQT7ccy', 'NEviGUbAfO', 'RXui9uZEwJ', 'RYSi6jwwAj'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, mVrobKdKMaMT4VBm14.cs High entropy of concatenated method names: 'iM28KdCKKW', 'oa08uv7eUt', 'oih8m9F332', 'n6k8xX72Mu', 'ydC8t4DvNl', 'Cj48BZ3OqH', 'CPK82ttQ5M', 'eio8sUVw4G', 'kQT8MAdBN0', 'Xlo85xYmdR'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, S3SW7Nm5yZfAI7L9f4.cs High entropy of concatenated method names: 'a7DIwgSEJb', 'sdyIV16KIl', 'FIUIR8r8Qa', 'De0Ii9CEg7', 'BeZIkQIMlL', 'iLXRExSCIU', 'RotRf0II9v', 'IqWRWQaJ4N', 'NbARpvdTjn', 'L6UR4GRTpc'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, RZR926Q6EssYSwiVRUZ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oQmq3rrYCt', 'FXDqyRKprj', 'ptHqlfpm0P', 'kLRqqHZjXY', 'tlOqg45ZOR', 'A3ZqXVI5Ho', 'HGiqYkE6gT'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs High entropy of concatenated method names: 'fJh9wZ4UQZ', 'ECb9Cu9m0R', 'QmA9VsSZ5l', 'b4G9alyvVG', 'SlP9RWgSB6', 'Yo49I31oBH', 'nkh9iiIphg', 'OBQ9kZgp4O', 'bC59oHNbj3', 'jgM9JSA0NY'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, UjM08uKG4ajvp16R40.cs High entropy of concatenated method names: 'WV8Veu8y1s', 'rF5Vheso9s', 'kLTVODKD55', 'KTwVHprYHq', 'e6iVE2obgH', 'Hw2VfDSQ6x', 'O9FVWcGG7Z', 'OZfVpAwcm6', 'NJdV4gj3Bu', 'FJMVckNOMe'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, Tj4hrN6Og75w16Grr1.cs High entropy of concatenated method names: 'W9EQijM08u', 'b4aQkjvp16', 'ydKQJvLKAR', 'O3HQ7SQK4b', 'NXbQLdLO3S', 'W7NQb5yZfA', 'Bw0vOUqBHw97S38uAc', 'e0t0XPwWN6xxjDXGKs', 'oJ4QQIG98E', 'cuKQ9RKkIo'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 2740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 7610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 8610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 87C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 97C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 2CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 2E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: 4E60000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7326 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2336 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Window / User API: threadDelayed 1344 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Window / User API: threadDelayed 8512 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 2172 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7280 Thread sleep count: 1344 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7280 Thread sleep count: 8512 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -97094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96435s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -96000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95888s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -95016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -94906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -94797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -94687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276 Thread sleep time: -94578s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98547 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98218 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 98000 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97890 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97781 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97672 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97547 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97437 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97328 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97219 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 97094 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96875 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96766 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96656 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96547 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96435 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96328 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96219 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96109 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 96000 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95888 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95781 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95672 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95562 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95453 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95344 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95234 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95125 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 95016 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 94906 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 94797 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 94687 Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Thread delayed: delay time: 94578 Jump to behavior
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Code function: 4_2_02D071D8 CheckRemoteDebuggerPresent, 4_2_02D071D8
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Memory written: C:\Users\user\Desktop\Quote GVSE24-00815.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Users\user\Desktop\Quote GVSE24-00815.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Users\user\Desktop\Quote GVSE24-00815.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4139084542.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4139084542.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Quote GVSE24-00815.exe PID: 3732, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Quote GVSE24-00815.exe PID: 3732, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4139084542.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4139084542.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Quote GVSE24-00815.exe PID: 3732, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561754 Sample: Quote GVSE24-00815.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 22 mail.zqamcx.com 2->22 24 zqamcx.com 2->24 26 ip-api.com 2->26 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 14 other signatures 2->38 8 Quote GVSE24-00815.exe 4 2->8         started        signatures3 process4 file5 20 C:\Users\user\...\Quote GVSE24-00815.exe.log, ASCII 8->20 dropped 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->40 42 Adds a directory exclusion to Windows Defender 8->42 44 Injects a PE file into a foreign processes 8->44 12 Quote GVSE24-00815.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 28 zqamcx.com 78.110.166.82, 49737, 587 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 12->28 30 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 12->30 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 54 2 other signatures 12->54 52 Loading BitLocker PowerShell Module 16->52 18 conhost.exe 16->18         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
78.110.166.82
 zqamcx.com United Kingdom
42831 UKSERVERS-ASUKDedicatedServersHostingandCo-Location false

Contacted Domains

Name IP Active
zqamcx.com 78.110.166.82 true
ip-api.com 208.95.112.1 true
mail.zqamcx.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
    		high