Edit tour

Windows Analysis Report
Quote GVSE24-00815.exe

Overview

General Information

Sample name:	Quote GVSE24-00815.exe
Analysis ID:	1561754
MD5:	d04fe8d654f371aba620596e67963714
SHA1:	7e1ff1be9962bc31859cfc22757aad3df52ea193
SHA256:	9c9405332a044a5f3222dfc59bc8b36a4cd6fc4542c8651667aaf2101bb54ea8
Tags:	exeuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Quote GVSE24-00815.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\Quote GVSE24-00815.exe" MD5: D04FE8D654F371ABA620596E67963714)

powershell.exe (PID: 5304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Quote GVSE24-00815.exe (PID: 3732 cmdline: "C:\Users\user\Desktop\Quote GVSE24-00815.exe" MD5: D04FE8D654F371ABA620596E67963714)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "servertwo@zqamcx.com", "Password": "Anambraeast@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4139084542.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4139084542.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quote GVSE24-00815.exe PID: 6260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quote GVSE24-00815.exe PID: 6260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quote GVSE24-00815.exe PID: 6260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quote GVSE24-00815.exe PID: 3732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quote GVSE24-00815.exe PID: 3732	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Quote GVSE24-00815.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.Quote GVSE24-00815.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.Quote GVSE24-00815.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Quote GVSE24-00815.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34847:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x348b9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34943:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x349d5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34a3f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34ab1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34b47:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34bd7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32a47:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32ab9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32b43:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32bd5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32c3f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32cb1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32d47:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32dd7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32a47:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32ab9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32b43:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32bd5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32c3f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32cb1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32d47:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32dd7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34847:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x348b9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34943:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x349d5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34a3f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34ab1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34b47:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34bd7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34847:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x70667:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x348b9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x706d9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34943:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x70763:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x349d5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x707f5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34a3f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7085f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34ab1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x708d1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34b47:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70967:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34bd7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x709f7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote GVSE24-00815.exe", ParentImage: C:\Users\user\Desktop\Quote GVSE24-00815.exe, ParentProcessId: 6260, ParentProcessName: Quote GVSE24-00815.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe", ProcessId: 5304, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quote GVSE24-00815.exe, Initiated: true, ProcessId: 3732, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote GVSE24-00815.exe", ParentImage: C:\Users\user\Desktop\Quote GVSE24-00815.exe, ParentProcessId: 6260, ParentProcessName: Quote GVSE24-00815.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe", ProcessId: 5304, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "servertwo@zqamcx.com", "Password": "Anambraeast@"}

Multi AV Scanner detection for domain / URL

Source: mail.zqamcx.com

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: Quote GVSE24-00815.exe	ReversingLabs: Detection: 73%
Source: Quote GVSE24-00815.exe	Virustotal: Detection: 74%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Quote GVSE24-00815.exe

Joe Sandbox ML: detected

Source: Quote GVSE24-00815.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quote GVSE24-00815.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 78.110.166.82:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 78.110.166.82 78.110.166.82

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 78.110.166.82:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.zqamcx.com

Source: Quote GVSE24-00815.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Quote GVSE24-00815.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.zqamcx.com
Source: Quote GVSE24-00815.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4143010272.00000000068D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0#
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4143010272.00000000068D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: Quote GVSE24-00815.exe, 00000000.00000002.1707813519.000000000279A000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quote GVSE24-00815.exe	String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: Quote GVSE24-00815.exe	String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: Quote GVSE24-00815.exe	String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zqamcx.com
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Quote GVSE24-00815.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, n00.cs	.Net Code: O5ZNXKF
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, n00.cs	.Net Code: O5ZNXKF

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Quote GVSE24-00815.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_00E3D51C	0_2_00E3D51C
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CA6BE0	0_2_04CA6BE0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CA0040	0_2_04CA0040
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CA003F	0_2_04CA003F
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CA6BDA	0_2_04CA6BDA
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CA6BD1	0_2_04CA6BD1
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E5AF68	0_2_06E5AF68
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E56ED0	0_2_06E56ED0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E54FA7	0_2_06E54FA7
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E54FB8	0_2_06E54FB8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E56A88	0_2_06E56A88
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E56A98	0_2_06E56A98
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E553F0	0_2_06E553F0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E54B80	0_2_06E54B80
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D0E5A8	4_2_02D0E5A8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D04BF0	4_2_02D04BF0
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D0EE21	4_2_02D0EE21
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D03FD8	4_2_02D03FD8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D0B318	4_2_02D0B318
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D04320	4_2_02D04320
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_069C2B54	4_2_069C2B54
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_069C2168	4_2_069C2168
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_069C2163	4_2_069C2163
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_069C2B48	4_2_069C2B48
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_069C3266	4_2_069C3266
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A25680	4_2_06A25680
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A266C8	4_2_06A266C8
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A2B2F9	4_2_06A2B2F9
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A2C240	4_2_06A2C240
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A23148	4_2_06A23148
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A27E50	4_2_06A27E50
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A27770	4_2_06A27770
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A2E458	4_2_06A2E458
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A20040	4_2_06A20040
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A25DBB	4_2_06A25DBB
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A20007	4_2_06A20007

Source: Quote GVSE24-00815.exe

Static PE information: invalid certificate

Source: Quote GVSE24-00815.exe, 00000000.00000002.1707813519.00000000027A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1714917912.0000000007210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOwfV.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1707813519.000000000279A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee33f29a3-d982-4bbb-b145-e4c33ad27d5d.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1713162820.0000000004F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1706918857.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee33f29a3-d982-4bbb-b145-e4c33ad27d5d.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee33f29a3-d982-4bbb-b145-e4c33ad27d5d.exe4 vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137861344.0000000000F39000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote GVSE24-00815.exe
Source: Quote GVSE24-00815.exe	Binary or memory string: OriginalFilenameOwfV.exe4 vs Quote GVSE24-00815.exe

Source: Quote GVSE24-00815.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Quote GVSE24-00815.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, UjM08uKG4ajvp16R40.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, UjM08uKG4ajvp16R40.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@3/2

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote GVSE24-00815.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjgib2nb.30d.ps1

Jump to behavior

Source: Quote GVSE24-00815.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quote GVSE24-00815.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Quote GVSE24-00815.exe, 00000000.00000000.1678802457.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);

Source: Quote GVSE24-00815.exe	ReversingLabs: Detection: 73%
Source: Quote GVSE24-00815.exe	Virustotal: Detection: 74%

Source: unknown	Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Quote GVSE24-00815.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quote GVSE24-00815.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Quote GVSE24-00815.exe, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	.Net Code: CVZ6Zttube System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	.Net Code: CVZ6Zttube System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CAA05B push es; retf	0_2_04CAA062
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CAA058 push es; retf	0_2_04CAA05A
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CA9ED7 push es; retf	0_2_04CA9EDA
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_04CA9E68 push es; retf	0_2_04CA9E72
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 0_2_06E5AF68 pushfd ; retn 5504h	0_2_06E5B696
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D00610 push edx; ret	4_2_02D0061A
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D0061B push edx; ret	4_2_02D0061A
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D00828 push edx; ret	4_2_02D00846
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_02D0F9B8 push edx; ret	4_2_02D0F9C6
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_069C7782 push es; ret	4_2_069C7790
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Code function: 4_2_06A24240 pushfd ; ret	4_2_06A24285

Source: Quote GVSE24-00815.exe

Static PE information: section name: .text entropy: 7.52645497703216

Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, udp8Y54h5tL0mZ8Mad.cs	High entropy of concatenated method names: 'xo53mFR5Pb', 'Dl13xRMVb9', 'Aiu31rKNWY', 'CaZ3tgmlia', 'MIJ3BiytcU', 'DgZ3n3ompG', 'wt232G3qko', 'spd3sNyUyZ', 'V493vYIhO4', 'nl93M2bppV'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, wKjoyMa13ZFUm17qsv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'JB3G4aRqMH', 'lDFGcfxEnT', 'ivrGzpxNv3', 'WaE9UJD666', 'nna9QuYksT', 'SHv9GlqZ1d', 'cpS993OTdQ', 'u79KBkcchGK97Or60Bo'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, eDGCCDzpNSnLU0NOIS.cs	High entropy of concatenated method names: 'QsiyT9NHki', 'ziMyKBAVuD', 'HFyyuc9VMd', 'hQsymKSObc', 'aJByxUoYU7', 'wdgytfcT9s', 'QL0yB3L1Bb', 'TWXyYCOOfn', 'nWxyjwdoEb', 'r9uyFHKL9n'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, nrLAxkVO6F2gBrQSmN.cs	High entropy of concatenated method names: 'Dispose', 'bnfQ4KQPt3', 'TCBGx687bB', 'NMBvt5KyGc', 'jXJQcONtUx', 'I86QzibNLU', 'ProcessDialogKey', 'jAqGUdp8Y5', 'S5tGQL0mZ8', 'OadGG8sAfy'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, nsAfyYcOq9jOlSjV4n.cs	High entropy of concatenated method names: 'ReLyaLkipa', 'KAlyRpcIXU', 'RjdyIoyZWO', 'BNqyiTreMA', 'xumy3la7xW', 'BOYykDFbPT', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, oNX8UtW5SQnfKQPt3I.cs	High entropy of concatenated method names: 'wAi3L3VHvJ', 'bbc3DFxHyT', 'i2C33kMEMJ', 'cC83lPZvLG', 'kH33gIfDZk', 'u7I3YHX1oD', 'Dispose', 'LkL0CYEyED', 'oE60Vl0Knd', 'J9Z0aqADwb'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, CYyUhDHuwnyg49OWYm.cs	High entropy of concatenated method names: 'VxcDJlxpP7', 'xMFD7h8b70', 'ToString', 'KlZDCkIhyO', 'XeSDVSOFJc', 'f06Dai8416', 'Mu8DRKcbWW', 'ra9DI5wi1l', 'uvGDiwvFkC', 'h00DkYZpiV'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, yJ3SUFudKvLKAR53HS.cs	High entropy of concatenated method names: 'dEIaP0pJZ0', 'jQqaT55VeD', 'F1oaKOKLeo', 'pykauXSrbf', 'DyqaLT9sA8', 'YKKablUXcb', 'TdPaDhsorc', 'f5Sa0jZrAf', 'Ct3a3Bt4K4', 'CJLayYrrnv'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xewm1LfuAOibrAUReG.cs	High entropy of concatenated method names: 'Fb7DplFtte', 'AKHDcfDift', 'RNt0UBoHcN', 'V9F0QTnVUk', 'nVyD5eXohK', 'Y9EDSUV1rw', 'qZBDdcCrm4', 'PwUDejZ7eE', 'mesDh2O0Zh', 'SZqDOuf8sm'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, Qp49reO0iYlVrX1hL0.cs	High entropy of concatenated method names: 'ToString', 'Qk4b58HrGt', 'b6abxVNLZs', 'LRSb1EjhUO', 'CoUbtbOFuN', 'X2SbBUEmxE', 'a4PbnEe9up', 'SeUb2YNxqC', 'PtZbsf1nFb', 'kS5bvAW5Lj'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, cxIuTXvufT3YjfmZai.cs	High entropy of concatenated method names: 'bWEijKHDVE', 'xs5iFcjDTa', 'HCriZ4qt7H', 'VA9iPDxI05', 'tx1irvc88c', 'jH6iTUZGXp', 'vQSiNDN6CH', 'f63iKvKKHb', 'xGKiu0cbWf', 'jBwiAaNP3C'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, p6cOn4QUBKJCgoeIhgy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't86y5udrZa', 'w9IyS13XoS', 'OA9ydxH77G', 'TmKyeD8M25', 'sxxyhE8WOy', 'kU2yOim9mF', 'r3dyHpanPw'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, bK4b3KAvZGw9eMXbdL.cs	High entropy of concatenated method names: 'YpJRrcd4GY', 'RQ7RN7hcHR', 'NyHa1nqHUp', 'fHRatAFDfy', 'TKraBULGhK', 'HBCanIndOn', 'y9ra2JKRNb', 'RUXask2ApG', 'zwyavcPviJ', 'jgNaMTHdcb'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, Qlb0EcQG6HwJhj28G0A.cs	High entropy of concatenated method names: 'ToString', 'L4SlKLMYie', 'oVUlu27DGe', 'BaRlALOFbo', 'b2WlmNVPEv', 'Hemlxp5rUS', 'utHl1rljJ8', 'LwqltXxMPH', 'PeTQASNmpOlUwN9cZI3', 'yc6TtRNs932U9Xi96LT'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, GaO88nQQyuNgJMDLivT.cs	High entropy of concatenated method names: 'USTycolJgX', 'VNsyz7v9J4', 'BMXlUMxTob', 'snClQL8bMn', 'WSUlG6wtni', 'awGl9twXtW', 'Iy6l6x3nWw', 'SGSlwDr7Pm', 'eEllCgy6Qn', 'jDylVUnImd'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, XlB4bpGkjFAiOUtBKw.cs	High entropy of concatenated method names: 'fkmZ1S6X1', 'uLZP8xli0', 'PtdTBuhEC', 'zCxNCt6Gb', 'fxfuTUioG', 'zunAlIZOQ', 'qdAFn5sGP79qtQGeOI', 'jiwXfa9uQgjy1ChERP', 'qXr08JABP', 'NlKyIcG21'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, aqWHQt2o2GTW94fMH6.cs	High entropy of concatenated method names: 'FEiiC9BgTS', 'hhsia0VJeq', 'EbqiICyYST', 'JqcIciBaNm', 'G5BIzGd5Fd', 'sbgiUbtJXk', 'GfViQT7ccy', 'NEviGUbAfO', 'RXui9uZEwJ', 'RYSi6jwwAj'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, mVrobKdKMaMT4VBm14.cs	High entropy of concatenated method names: 'iM28KdCKKW', 'oa08uv7eUt', 'oih8m9F332', 'n6k8xX72Mu', 'ydC8t4DvNl', 'Cj48BZ3OqH', 'CPK82ttQ5M', 'eio8sUVw4G', 'kQT8MAdBN0', 'Xlo85xYmdR'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, S3SW7Nm5yZfAI7L9f4.cs	High entropy of concatenated method names: 'a7DIwgSEJb', 'sdyIV16KIl', 'FIUIR8r8Qa', 'De0Ii9CEg7', 'BeZIkQIMlL', 'iLXRExSCIU', 'RotRf0II9v', 'IqWRWQaJ4N', 'NbARpvdTjn', 'L6UR4GRTpc'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, RZR926Q6EssYSwiVRUZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oQmq3rrYCt', 'FXDqyRKprj', 'ptHqlfpm0P', 'kLRqqHZjXY', 'tlOqg45ZOR', 'A3ZqXVI5Ho', 'HGiqYkE6gT'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	High entropy of concatenated method names: 'fJh9wZ4UQZ', 'ECb9Cu9m0R', 'QmA9VsSZ5l', 'b4G9alyvVG', 'SlP9RWgSB6', 'Yo49I31oBH', 'nkh9iiIphg', 'OBQ9kZgp4O', 'bC59oHNbj3', 'jgM9JSA0NY'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, UjM08uKG4ajvp16R40.cs	High entropy of concatenated method names: 'WV8Veu8y1s', 'rF5Vheso9s', 'kLTVODKD55', 'KTwVHprYHq', 'e6iVE2obgH', 'Hw2VfDSQ6x', 'O9FVWcGG7Z', 'OZfVpAwcm6', 'NJdV4gj3Bu', 'FJMVckNOMe'
Source: 0.2.Quote GVSE24-00815.exe.7210000.4.raw.unpack, Tj4hrN6Og75w16Grr1.cs	High entropy of concatenated method names: 'W9EQijM08u', 'b4aQkjvp16', 'ydKQJvLKAR', 'O3HQ7SQK4b', 'NXbQLdLO3S', 'W7NQb5yZfA', 'Bw0vOUqBHw97S38uAc', 'e0t0XPwWN6xxjDXGKs', 'oJ4QQIG98E', 'cuKQ9RKkIo'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, udp8Y54h5tL0mZ8Mad.cs	High entropy of concatenated method names: 'xo53mFR5Pb', 'Dl13xRMVb9', 'Aiu31rKNWY', 'CaZ3tgmlia', 'MIJ3BiytcU', 'DgZ3n3ompG', 'wt232G3qko', 'spd3sNyUyZ', 'V493vYIhO4', 'nl93M2bppV'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, wKjoyMa13ZFUm17qsv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'JB3G4aRqMH', 'lDFGcfxEnT', 'ivrGzpxNv3', 'WaE9UJD666', 'nna9QuYksT', 'SHv9GlqZ1d', 'cpS993OTdQ', 'u79KBkcchGK97Or60Bo'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, eDGCCDzpNSnLU0NOIS.cs	High entropy of concatenated method names: 'QsiyT9NHki', 'ziMyKBAVuD', 'HFyyuc9VMd', 'hQsymKSObc', 'aJByxUoYU7', 'wdgytfcT9s', 'QL0yB3L1Bb', 'TWXyYCOOfn', 'nWxyjwdoEb', 'r9uyFHKL9n'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, nrLAxkVO6F2gBrQSmN.cs	High entropy of concatenated method names: 'Dispose', 'bnfQ4KQPt3', 'TCBGx687bB', 'NMBvt5KyGc', 'jXJQcONtUx', 'I86QzibNLU', 'ProcessDialogKey', 'jAqGUdp8Y5', 'S5tGQL0mZ8', 'OadGG8sAfy'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, nsAfyYcOq9jOlSjV4n.cs	High entropy of concatenated method names: 'ReLyaLkipa', 'KAlyRpcIXU', 'RjdyIoyZWO', 'BNqyiTreMA', 'xumy3la7xW', 'BOYykDFbPT', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, oNX8UtW5SQnfKQPt3I.cs	High entropy of concatenated method names: 'wAi3L3VHvJ', 'bbc3DFxHyT', 'i2C33kMEMJ', 'cC83lPZvLG', 'kH33gIfDZk', 'u7I3YHX1oD', 'Dispose', 'LkL0CYEyED', 'oE60Vl0Knd', 'J9Z0aqADwb'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, CYyUhDHuwnyg49OWYm.cs	High entropy of concatenated method names: 'VxcDJlxpP7', 'xMFD7h8b70', 'ToString', 'KlZDCkIhyO', 'XeSDVSOFJc', 'f06Dai8416', 'Mu8DRKcbWW', 'ra9DI5wi1l', 'uvGDiwvFkC', 'h00DkYZpiV'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, yJ3SUFudKvLKAR53HS.cs	High entropy of concatenated method names: 'dEIaP0pJZ0', 'jQqaT55VeD', 'F1oaKOKLeo', 'pykauXSrbf', 'DyqaLT9sA8', 'YKKablUXcb', 'TdPaDhsorc', 'f5Sa0jZrAf', 'Ct3a3Bt4K4', 'CJLayYrrnv'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xewm1LfuAOibrAUReG.cs	High entropy of concatenated method names: 'Fb7DplFtte', 'AKHDcfDift', 'RNt0UBoHcN', 'V9F0QTnVUk', 'nVyD5eXohK', 'Y9EDSUV1rw', 'qZBDdcCrm4', 'PwUDejZ7eE', 'mesDh2O0Zh', 'SZqDOuf8sm'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, Qp49reO0iYlVrX1hL0.cs	High entropy of concatenated method names: 'ToString', 'Qk4b58HrGt', 'b6abxVNLZs', 'LRSb1EjhUO', 'CoUbtbOFuN', 'X2SbBUEmxE', 'a4PbnEe9up', 'SeUb2YNxqC', 'PtZbsf1nFb', 'kS5bvAW5Lj'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, cxIuTXvufT3YjfmZai.cs	High entropy of concatenated method names: 'bWEijKHDVE', 'xs5iFcjDTa', 'HCriZ4qt7H', 'VA9iPDxI05', 'tx1irvc88c', 'jH6iTUZGXp', 'vQSiNDN6CH', 'f63iKvKKHb', 'xGKiu0cbWf', 'jBwiAaNP3C'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, p6cOn4QUBKJCgoeIhgy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't86y5udrZa', 'w9IyS13XoS', 'OA9ydxH77G', 'TmKyeD8M25', 'sxxyhE8WOy', 'kU2yOim9mF', 'r3dyHpanPw'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, bK4b3KAvZGw9eMXbdL.cs	High entropy of concatenated method names: 'YpJRrcd4GY', 'RQ7RN7hcHR', 'NyHa1nqHUp', 'fHRatAFDfy', 'TKraBULGhK', 'HBCanIndOn', 'y9ra2JKRNb', 'RUXask2ApG', 'zwyavcPviJ', 'jgNaMTHdcb'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, Qlb0EcQG6HwJhj28G0A.cs	High entropy of concatenated method names: 'ToString', 'L4SlKLMYie', 'oVUlu27DGe', 'BaRlALOFbo', 'b2WlmNVPEv', 'Hemlxp5rUS', 'utHl1rljJ8', 'LwqltXxMPH', 'PeTQASNmpOlUwN9cZI3', 'yc6TtRNs932U9Xi96LT'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, GaO88nQQyuNgJMDLivT.cs	High entropy of concatenated method names: 'USTycolJgX', 'VNsyz7v9J4', 'BMXlUMxTob', 'snClQL8bMn', 'WSUlG6wtni', 'awGl9twXtW', 'Iy6l6x3nWw', 'SGSlwDr7Pm', 'eEllCgy6Qn', 'jDylVUnImd'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, XlB4bpGkjFAiOUtBKw.cs	High entropy of concatenated method names: 'fkmZ1S6X1', 'uLZP8xli0', 'PtdTBuhEC', 'zCxNCt6Gb', 'fxfuTUioG', 'zunAlIZOQ', 'qdAFn5sGP79qtQGeOI', 'jiwXfa9uQgjy1ChERP', 'qXr08JABP', 'NlKyIcG21'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, aqWHQt2o2GTW94fMH6.cs	High entropy of concatenated method names: 'FEiiC9BgTS', 'hhsia0VJeq', 'EbqiICyYST', 'JqcIciBaNm', 'G5BIzGd5Fd', 'sbgiUbtJXk', 'GfViQT7ccy', 'NEviGUbAfO', 'RXui9uZEwJ', 'RYSi6jwwAj'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, mVrobKdKMaMT4VBm14.cs	High entropy of concatenated method names: 'iM28KdCKKW', 'oa08uv7eUt', 'oih8m9F332', 'n6k8xX72Mu', 'ydC8t4DvNl', 'Cj48BZ3OqH', 'CPK82ttQ5M', 'eio8sUVw4G', 'kQT8MAdBN0', 'Xlo85xYmdR'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, S3SW7Nm5yZfAI7L9f4.cs	High entropy of concatenated method names: 'a7DIwgSEJb', 'sdyIV16KIl', 'FIUIR8r8Qa', 'De0Ii9CEg7', 'BeZIkQIMlL', 'iLXRExSCIU', 'RotRf0II9v', 'IqWRWQaJ4N', 'NbARpvdTjn', 'L6UR4GRTpc'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, RZR926Q6EssYSwiVRUZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oQmq3rrYCt', 'FXDqyRKprj', 'ptHqlfpm0P', 'kLRqqHZjXY', 'tlOqg45ZOR', 'A3ZqXVI5Ho', 'HGiqYkE6gT'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, xKiWxFkKk1hXKZ6pNR.cs	High entropy of concatenated method names: 'fJh9wZ4UQZ', 'ECb9Cu9m0R', 'QmA9VsSZ5l', 'b4G9alyvVG', 'SlP9RWgSB6', 'Yo49I31oBH', 'nkh9iiIphg', 'OBQ9kZgp4O', 'bC59oHNbj3', 'jgM9JSA0NY'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, UjM08uKG4ajvp16R40.cs	High entropy of concatenated method names: 'WV8Veu8y1s', 'rF5Vheso9s', 'kLTVODKD55', 'KTwVHprYHq', 'e6iVE2obgH', 'Hw2VfDSQ6x', 'O9FVWcGG7Z', 'OZfVpAwcm6', 'NJdV4gj3Bu', 'FJMVckNOMe'
Source: 0.2.Quote GVSE24-00815.exe.39de2e0.1.raw.unpack, Tj4hrN6Og75w16Grr1.cs	High entropy of concatenated method names: 'W9EQijM08u', 'b4aQkjvp16', 'ydKQJvLKAR', 'O3HQ7SQK4b', 'NXbQLdLO3S', 'W7NQb5yZfA', 'Bw0vOUqBHw97S38uAc', 'e0t0XPwWN6xxjDXGKs', 'oJ4QQIG98E', 'cuKQ9RKkIo'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 7610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 8610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 87C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 97C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7326	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2336	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Window / User API: threadDelayed 1344	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Window / User API: threadDelayed 8512	Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 2172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7280	Thread sleep count: 1344 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7280	Thread sleep count: 8512 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -95016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -94906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -94687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe TID: 7276	Thread sleep time: -94578s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96766	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96435	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95888	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 95016	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 94906	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 94687	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Thread delayed: delay time: 94578	Jump to behavior

Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Code function: 4_2_02D071D8 CheckRemoteDebuggerPresent,

4_2_02D071D8

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Memory written: C:\Users\user\Desktop\Quote GVSE24-00815.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Process created: C:\Users\user\Desktop\Quote GVSE24-00815.exe "C:\Users\user\Desktop\Quote GVSE24-00815.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Users\user\Desktop\Quote GVSE24-00815.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Users\user\Desktop\Quote GVSE24-00815.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4139084542.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4139084542.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quote GVSE24-00815.exe PID: 3732, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Quote GVSE24-00815.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quote GVSE24-00815.exe PID: 3732, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.Quote GVSE24-00815.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.399a0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quote GVSE24-00815.exe.395e2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4139084542.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4139084542.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote GVSE24-00815.exe PID: 6260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quote GVSE24-00815.exe PID: 3732, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	531 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quote GVSE24-00815.exe	74%	ReversingLabs	Win32.Trojan.AgentTesla
Quote GVSE24-00815.exe	74%	Virustotal		Browse
Quote GVSE24-00815.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
mail.zqamcx.com	14%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
zqamcx.com	78.110.166.82	true	false		high
ip-api.com	208.95.112.1	true	false		high
mail.zqamcx.com	unknown	unknown	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mail.zqamcx.com	Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.dyn.com/	Quote GVSE24-00815.exe, 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://r11.o.lencr.org0#	Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4143010272.00000000068D2000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet2.xsdM	Quote GVSE24-00815.exe	false	high
http://www.tiro.com	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Quote GVSE24-00815.exe	false	high
http://www.carterandcone.coml	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet.xsd	Quote GVSE24-00815.exe	false	high
http://www.sajatypeworks.com	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet1.xsd	Quote GVSE24-00815.exe	false	high
http://www.founder.com.cn/cn	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://zqamcx.com	Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quote GVSE24-00815.exe, 00000000.00000002.1707813519.000000000279A000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Quote GVSE24-00815.exe, 00000000.00000002.1713652039.00000000068D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://r11.i.lencr.org/0#	Quote GVSE24-00815.exe, 00000004.00000002.4139084542.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4137921930.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, Quote GVSE24-00815.exe, 00000004.00000002.4143010272.00000000068D2000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
78.110.166.82	zqamcx.com	United Kingdom		42831	UKSERVERS-ASUKDedicatedServersHostingandCo-Location	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561754
Start date and time:	2024-11-24 08:33:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quote GVSE24-00815.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/6@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 95 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:34:27	API Interceptor	10089331x Sleep call for process: Quote GVSE24-00815.exe modified
02:34:29	API Interceptor	10x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	dLRcE11Dkl.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	owuP726k3d.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	UH7iNNKgPW.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
78.110.166.82	COB756883.vbs	Get hash	malicious	CobaltStrike	Browse	windowsupdatesolutions.com/ServerCOB.txt
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	dLRcE11Dkl.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	owuP726k3d.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	UH7iNNKgPW.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
zqamcx.com	EKSTRE_1022.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	18112024_Dokman_1 Kas_m 2024- Avans_T24-2112184_dekont.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Musterino_94372478_Ekno_101_20241031410530_ekstre.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Halkbank_Ekstre_20241118_081142_787116.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	PO NO170300999.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Musterino_94372478_Ekno_101_20241031410530_ekstre.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UKSERVERS-ASUKDedicatedServersHostingandCo-Location	EKSTRE_1022.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	New_Order_Inquiry.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	18112024_Dokman_1 Kas_m 2024- Avans_T24-2112184_dekont.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Musterino_94372478_Ekno_101_20241031410530_ekstre.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Halkbank_Ekstre_20241118_081142_787116.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	(#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	PO NO170300999.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	sora.mips.elf	Get hash	malicious	Mirai	Browse	78.157.201.124
	RKsVnThLLP.exe	Get hash	malicious	Njrat	Browse	94.46.207.10
	Musterino_94372478_Ekno_101_20241031410530_ekstre.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
TUT-ASUS	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	dLRcE11Dkl.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	owuP726k3d.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	UH7iNNKgPW.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\Quote GVSE24-00815.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:yyjWSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	827C68C8F65D2B0800E6791B34AB6D2E
SHA1:	151BC96F9C26C53E02D2E0DA64995A462D0C3B4E
SHA-256:	6B22A727792EC2ACE1BC27BF00BECBBD842902F2FD0FC813CF45A21A986377D5
SHA-512:	67E9E89C531B2CDF47FCBBA3F036EA66427631A8EBF287A26DD35AFB114AF6E2D945304CBF72B94358245FEED658F9BA6E19B29879AE6488D8DC7A143DCC146D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tivak4j.3p4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itkhhyeh.24p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjnwwi5w.tds.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjgib2nb.30d.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.529677080166083
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quote GVSE24-00815.exe
File size:	997'896 bytes
MD5:	d04fe8d654f371aba620596e67963714
SHA1:	7e1ff1be9962bc31859cfc22757aad3df52ea193
SHA256:	9c9405332a044a5f3222dfc59bc8b36a4cd6fc4542c8651667aaf2101bb54ea8
SHA512:	55b371ad701384433bb31e81c466cfa1b623ecc4406b42e9d89c6151fafe5046dba07f422205c65f0bff16acfcf72e0edc23142f8b6e7b3f344294d1aefef1de
SSDEEP:	24576:kcOrkkzqRzxWItcgR/bq7lLWGkSS/lgp3A:ozqzWIb/eYGkTo3A
TLSH:	4825BF20B7F8DE67E27AB0B3DAC4525197B6D585767BE3AA0CC520CE25C27311383927
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0......(........... ........@.. .......................`............@................................

File Icon


Icon Hash:	130b253d1931012d

Static PE Info

General

Entrypoint:	0x4ef8f6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673E9FC6 [Thu Nov 21 02:49:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xef8a4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf0000	0x2588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xf0400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xed8fc	0xeda00	ece0d097a315e76139e38a21a50f1d30	False	0.7378661724092583	data	7.52645497703216	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf0000	0x2588	0x2600	64f70c5eb885c5b46074f724d719b05a	False	0.8752055921052632	data	7.5770511535357725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	a41c1bf95df743e9190f43225866ae8a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf0100	0x2016	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9504504504504504
RT_GROUP_ICON	0xf2128	0x14	data	1.05
RT_VERSION	0xf214c	0x23c	data	0.46853146853146854
RT_MANIFEST	0xf2398	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:34:31.182710886 CET	49735	80	192.168.2.4	208.95.112.1
Nov 24, 2024 08:34:31.302329063 CET	80	49735	208.95.112.1	192.168.2.4
Nov 24, 2024 08:34:31.303355932 CET	49735	80	192.168.2.4	208.95.112.1
Nov 24, 2024 08:34:31.304111004 CET	49735	80	192.168.2.4	208.95.112.1
Nov 24, 2024 08:34:31.423522949 CET	80	49735	208.95.112.1	192.168.2.4
Nov 24, 2024 08:34:32.491986990 CET	80	49735	208.95.112.1	192.168.2.4
Nov 24, 2024 08:34:32.546245098 CET	49735	80	192.168.2.4	208.95.112.1
Nov 24, 2024 08:34:35.054538012 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:35.174132109 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:35.174204111 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:36.372843981 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:36.373070002 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:36.492554903 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:36.759104013 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:36.759303093 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:36.879179955 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.155103922 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.161700010 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:37.281774044 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.558909893 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.558993101 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.558999062 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.559129953 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:37.574136972 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:37.693718910 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.960000038 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:37.977615118 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:38.097184896 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:38.380646944 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:38.382509947 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:38.501974106 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:38.768135071 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:38.768474102 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:38.888035059 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:39.161525011 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:39.161856890 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:39.281496048 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:39.547892094 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:39.548135996 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:39.667659998 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:39.934016943 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:39.934236050 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:40.053894997 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:40.320183039 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:40.320936918 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:40.320936918 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:40.320936918 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:40.320974112 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:34:40.440556049 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:40.440582991 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:40.440593004 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:40.440606117 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:40.804949999 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:34:40.858860970 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:35:23.531078100 CET	49735	80	192.168.2.4	208.95.112.1
Nov 24, 2024 08:35:23.650939941 CET	80	49735	208.95.112.1	192.168.2.4
Nov 24, 2024 08:35:23.651063919 CET	49735	80	192.168.2.4	208.95.112.1
Nov 24, 2024 08:36:13.546857119 CET	49737	587	192.168.2.4	78.110.166.82
Nov 24, 2024 08:36:13.667901039 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:36:13.934895039 CET	587	49737	78.110.166.82	192.168.2.4
Nov 24, 2024 08:36:13.939970970 CET	49737	587	192.168.2.4	78.110.166.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:34:31.032140017 CET	53085	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:34:31.169652939 CET	53	53085	1.1.1.1	192.168.2.4
Nov 24, 2024 08:34:33.528000116 CET	54896	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:34:34.515203953 CET	54896	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:34:35.053261995 CET	53	54896	1.1.1.1	192.168.2.4
Nov 24, 2024 08:34:35.053323030 CET	53	54896	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 08:34:31.032140017 CET	192.168.2.4	1.1.1.1	0xa253	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:34:33.528000116 CET	192.168.2.4	1.1.1.1	0x108	Standard query (0)	mail.zqamcx.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:34:34.515203953 CET	192.168.2.4	1.1.1.1	0x108	Standard query (0)	mail.zqamcx.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 08:34:31.169652939 CET	1.1.1.1	192.168.2.4	0xa253	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:34:35.053261995 CET	1.1.1.1	192.168.2.4	0x108	No error (0)	mail.zqamcx.com	zqamcx.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:34:35.053261995 CET	1.1.1.1	192.168.2.4	0x108	No error (0)	zqamcx.com		78.110.166.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:34:35.053323030 CET	1.1.1.1	192.168.2.4	0x108	No error (0)	mail.zqamcx.com	zqamcx.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:34:35.053323030 CET	1.1.1.1	192.168.2.4	0x108	No error (0)	zqamcx.com		78.110.166.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	208.95.112.1	80	3732	C:\Users\user\Desktop\Quote GVSE24-00815.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:34:31.304111004 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 24, 2024 08:34:32.491986990 CET	175	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 07:34:31 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 24, 2024 08:34:36.372843981 CET	587	49737	78.110.166.82	192.168.2.4	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Sun, 24 Nov 2024 07:34:36 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 24, 2024 08:34:36.373070002 CET	49737	587	192.168.2.4	78.110.166.82	EHLO 367706
Nov 24, 2024 08:34:36.759104013 CET	587	49737	78.110.166.82	192.168.2.4	250-cphost14.qhoster.net Hello 367706 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 24, 2024 08:34:36.759303093 CET	49737	587	192.168.2.4	78.110.166.82	STARTTLS
Nov 24, 2024 08:34:37.155103922 CET	587	49737	78.110.166.82	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	02:34:26
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\Quote GVSE24-00815.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Imagebase:	0x330000
File size:	997'896 bytes
MD5 hash:	D04FE8D654F371ABA620596E67963714
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1709737330.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:34:29
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Imagebase:	0x240000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:34:29
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:34:29
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\Quote GVSE24-00815.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote GVSE24-00815.exe"
Imagebase:	0xab0000
File size:	997'896 bytes
MD5 hash:	D04FE8D654F371ABA620596E67963714
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4139084542.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4139084542.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4137696236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4139084542.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	213
Total number of Limit Nodes:	12

Executed Functions

Function 04CA6BE0 Relevance: 13.2, Strings: 10, Instructions: 750
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 04CA6FE2
}, xrefs: 04CA6CD5
O, xrefs: 04CA6CDC
O, xrefs: 04CA7219
&, xrefs: 04CA72C8
7, xrefs: 04CA717A
&, xrefs: 04CA7407
, xrefs: 04CA7081
, xrefs: 04CA6D74
s, xrefs: 04CA707A

Memory Dump Source

Source File: 00000000.00000002.1712783779.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $ $&$&$7$O$O$s$}$}
API String ID: 0-911021792
Opcode ID: 5451fcd3d8ec84f0ab24cc086f21917acb52fa88a7af09722fb8b63e602f5e21
Instruction ID: 6491472bab4819fa91f2389f0de85f60d31ba75c313d04bdbf053e98ca65d2e6
Opcode Fuzzy Hash: 5451fcd3d8ec84f0ab24cc086f21917acb52fa88a7af09722fb8b63e602f5e21
Instruction Fuzzy Hash: 09628E30A10706CFD715EF78C844BAAB7B2FFC5304F1586A9D059AB360DB75A985CB81

Function 04CA6BDA Relevance: 13.2, Strings: 10, Instructions: 674
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 04CA6FE2
}, xrefs: 04CA6CD5
O, xrefs: 04CA6CDC
O, xrefs: 04CA7219
&, xrefs: 04CA72C8
7, xrefs: 04CA717A
&, xrefs: 04CA7407
, xrefs: 04CA7081
, xrefs: 04CA6D74
s, xrefs: 04CA707A

Memory Dump Source

Source File: 00000000.00000002.1712783779.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $ $&$&$7$O$O$s$}$}
API String ID: 0-911021792
Opcode ID: 8ab046866466bd302757b39ff277d9a894abc84148f401f6e23c7e4d1e2badc0
Instruction ID: 23fec00bb06be44f83c511849da250a1fef2be8941fcdd590b64dc383e28e2fe
Opcode Fuzzy Hash: 8ab046866466bd302757b39ff277d9a894abc84148f401f6e23c7e4d1e2badc0
Instruction Fuzzy Hash: 81526E30A10B06CFD715EF78C844AAAB7B2FFC5304F1586A9D0596B360EB75B985CB81

Function 06E5AF68 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737a086ebb7c8a03c5a3ab92f68377ef65bc9da3dd70d13d092aff0f90dcbe38
Instruction ID: 27bd102dbc8e1a2fc1661285684df7503c3d44babc98bb173866503ffe059912
Opcode Fuzzy Hash: 737a086ebb7c8a03c5a3ab92f68377ef65bc9da3dd70d13d092aff0f90dcbe38
Instruction Fuzzy Hash: 3522CE30B013048FDB69DB69C564BAEBBF6AF89304F2544A9E546DB391CB34EC41CB51

Function 06E57BC7 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E57DFE

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fd0fe8e7853d72a0edf10b44a75193d8612dce8782877b9222c4ee7a470d011d
Instruction ID: 85b6d707f24c9d328feea22e7e7c43ec983752be47b8c6eab6408ae4aac19e2a
Opcode Fuzzy Hash: fd0fe8e7853d72a0edf10b44a75193d8612dce8782877b9222c4ee7a470d011d
Instruction Fuzzy Hash: BF914871D003199FEF54CF68C841BEEBBB2BF48314F1585A9E808A7290DB749995CF91

Function 06E57BC8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E57DFE

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 10cff6996aeba0d30f23734298918b997c445a2a88e109ba7d4261b6ea362ca6
Instruction ID: 86edb9c85397a6697411ea8b45cffb258f47ea1361126308db6a157ba4c57eec
Opcode Fuzzy Hash: 10cff6996aeba0d30f23734298918b997c445a2a88e109ba7d4261b6ea362ca6
Instruction Fuzzy Hash: 76914771D003199FEF54CF68C841BEEBBB2BF48314F1585A9E808A7290DB749995CF92

Function 00E3AD08 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3AF5E

Memory Dump Source

Source File: 00000000.00000002.1707578148.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_Quote GVSE24-00815.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 26087e7de488cca1490a3edc69d5a1ee35643a5176f7c62137a55c01e49b9fd3
Instruction ID: 8ed931fc95b20f97e8b1887750944d1f8cca550cd7fdcfc8498aacb4721bbbe6
Opcode Fuzzy Hash: 26087e7de488cca1490a3edc69d5a1ee35643a5176f7c62137a55c01e49b9fd3
Instruction Fuzzy Hash: E8711670A00B058FD764DF2AD04575ABBF1FF88308F148A2DD486E7A50D775E989CB91

Function 00E344B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359A9

Memory Dump Source

Source File: 00000000.00000002.1707578148.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_Quote GVSE24-00815.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b1f38da9b23e47f08c615ccd349f1f80768eaaf738b65188ccb79ea885540aab
Instruction ID: 40457e3d6b2fdc085d8dcca68a91e9274c0dcd343d0a0fd4ccf9bb9fc70e32c7
Opcode Fuzzy Hash: b1f38da9b23e47f08c615ccd349f1f80768eaaf738b65188ccb79ea885540aab
Instruction Fuzzy Hash: 4441D0B1D0071DCBDB24DFA9C988B9EBBB5BF48304F20816AD408BB255DBB56945CF90

Function 04CA4040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04CA4101

Memory Dump Source

Source File: 00000000.00000002.1712783779.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_Quote GVSE24-00815.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7adc5a5313313426b431e33ef74ec3475580f6c80b1aec8d787709c8a5e40a91
Instruction ID: 73f2e6047c231268b651199611b0e21503fd41958302e31db409a18cf3c487e2
Opcode Fuzzy Hash: 7adc5a5313313426b431e33ef74ec3475580f6c80b1aec8d787709c8a5e40a91
Instruction Fuzzy Hash: 05413BB8900219DFDB14CF99C448AABBBF5FB88314F14C459D519A7321D375A841CFA4

Function 00E358F7 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359A9

Memory Dump Source

Source File: 00000000.00000002.1707578148.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_Quote GVSE24-00815.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 429f0ab441469eda841f63f4f474d9343a9980ce8b6292b220d3993c608b7f90
Instruction ID: 4a7891529880d3f1e8f841141d15a6cf16e79ff37972c69cf0dbb2335d1a59a4
Opcode Fuzzy Hash: 429f0ab441469eda841f63f4f474d9343a9980ce8b6292b220d3993c608b7f90
Instruction Fuzzy Hash: AF41D1B1C00619CBDB24DFA9C9887CDBBB5BF48304F20816AD408BB255DB756946CF90

Function 06E57940 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E579D0

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3801607ac283c1ad186e521fca223d0b519eb365f15c8533446e147d2b9a6001
Instruction ID: 216a9e53922b3d0ff3a464574e1c5aa5157bbf2946f6bbafe77dd9dc2936d12b
Opcode Fuzzy Hash: 3801607ac283c1ad186e521fca223d0b519eb365f15c8533446e147d2b9a6001
Instruction Fuzzy Hash: 352124B19003599FDF10DFA9C885BDEBBF5FF48314F10842AE958A7250C7789954CBA4

Function 06E57938 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E579D0

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 09996550ad190d7973f58ea6dbfad90f3f29c95a6048f4b4fe2fa0541f6150fb
Instruction ID: 3b037f6c7b8fc216f11dc0b029546de32dcd9526e7b0b1139d0e3d6eb864d0b3
Opcode Fuzzy Hash: 09996550ad190d7973f58ea6dbfad90f3f29c95a6048f4b4fe2fa0541f6150fb
Instruction Fuzzy Hash: 362144B2900309CFDB14CFA9C981BDEBBF1FF48314F10882AE959A7250C7789954CB64

Function 06E577A1 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E57826

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 777ddf0747e6a419e238d0952c68cb568b3f83d6b096453177e6d6ac84c9dc43
Instruction ID: d8e009e7db5739daec689b5d4822bc2d0c18d4ea85c8262ac627807e438e5c72
Opcode Fuzzy Hash: 777ddf0747e6a419e238d0952c68cb568b3f83d6b096453177e6d6ac84c9dc43
Instruction Fuzzy Hash: 2B216A71D003089FDB14DFAAC8857EEBBF4EF48324F108429D859A7240C7789944CFA5

Function 00E3D1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E3D5B6,?,?,?,?,?), ref: 00E3D677

Memory Dump Source

Source File: 00000000.00000002.1707578148.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_Quote GVSE24-00815.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 199c3c754781724062155300a93384ff99333d2cc67bcb20f46dedde3c191886
Instruction ID: adb977aedbd1ff225029dcb35a095d226fc2382dcf17100673ccd9169efef24b
Opcode Fuzzy Hash: 199c3c754781724062155300a93384ff99333d2cc67bcb20f46dedde3c191886
Instruction Fuzzy Hash: D721E5B5900258EFDB10CFAAD984ADEBFF4EB48314F14841AE918B7310D375A950CFA4

Function 06E577A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E57826

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ef38e2226f995e38c242c3eef698c903774e89ae5572150118ba71a5e678b9cf
Instruction ID: 6dfa32544258c49e6c7dcb2eec768cf0998f4b415a2711c81cd929e577097f7b
Opcode Fuzzy Hash: ef38e2226f995e38c242c3eef698c903774e89ae5572150118ba71a5e678b9cf
Instruction Fuzzy Hash: 782149B1D003198FDB10DFAAC4857EEBBF4EF88324F108429D859A7241C7789944CFA5

Function 06E57A30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E57AB0

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 40b371e42a90c7812d2e3841ff2cee75372264c767dc3ebefa532a7f36036226
Instruction ID: 364752d7e0993e058fd0826e1ba8c0dac3aaa0fa1acfdd770bf7c579281eba11
Opcode Fuzzy Hash: 40b371e42a90c7812d2e3841ff2cee75372264c767dc3ebefa532a7f36036226
Instruction Fuzzy Hash: 7B2128B1C003599FCB10DFAAC885ADEFBF5FF48310F10842AE958A7250D7389954CBA4

Function 06E57A28 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E57AB0

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0ab3fb81a63e3fbc927090df84698755a99848580a9d1865af73fae6e776a6aa
Instruction ID: 1099e9d0b3acaf13e32c76042b8225194d5e1690d149472af7022d4b508e7afb
Opcode Fuzzy Hash: 0ab3fb81a63e3fbc927090df84698755a99848580a9d1865af73fae6e776a6aa
Instruction Fuzzy Hash: 902114B1D00349DFDB14CFA9C981ADEBBF1FF48310F10882AE558A7250DB399951DBA4

Function 06E57878 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E578EE

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7846323521c70aee3b923136851ecfa0a44251cd7168d1792abc9e0ec6cf9010
Instruction ID: 9c88b1710ac509e58af956a8ca982e9e76bd26231e29f21aec4784bd82e0899a
Opcode Fuzzy Hash: 7846323521c70aee3b923136851ecfa0a44251cd7168d1792abc9e0ec6cf9010
Instruction Fuzzy Hash: 541164B1900348CFCF14CFA9C9417EEBBF1AF88324F14881AD959A7260C77A9954CFA1

Function 06E57880 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E578EE

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2288692ad780eee20529f6459d7e827e4ade19086ebb57524bdda8fe3ab8a4e3
Instruction ID: 483b4635633cd011c2bf08053cb3b1e7fc2c0d6831df98e85e0f93fb204ab03d
Opcode Fuzzy Hash: 2288692ad780eee20529f6459d7e827e4ade19086ebb57524bdda8fe3ab8a4e3
Instruction Fuzzy Hash: 6B1156B19002489FCB10DFAAC844ADEBBF5EF88324F108419E919A7250C735A950CFA4

Function 06E576F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E5775A

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 36c53816ad6e27930202e4e3e91992188ca2546e7a1bd4c07cf18faede107a87
Instruction ID: 34174176b0b1a111c176b90244a68ba1c74f4699d26a914469b33a329124117f
Opcode Fuzzy Hash: 36c53816ad6e27930202e4e3e91992188ca2546e7a1bd4c07cf18faede107a87
Instruction Fuzzy Hash: 871128B19003498BDB14DFAAD4457DEFBF4EB88324F208419D559A7250C775A944CB94

Function 00E3AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3AF5E

Memory Dump Source

Source File: 00000000.00000002.1707578148.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_Quote GVSE24-00815.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88bcfa0f964fa1e85af107dd90bd95a796da198e2517eddcbe6266cfe354a531
Instruction ID: badb69d41170ee2fd7dc856eb5e22f6a0c111b7b290518ba9770090721e23328
Opcode Fuzzy Hash: 88bcfa0f964fa1e85af107dd90bd95a796da198e2517eddcbe6266cfe354a531
Instruction Fuzzy Hash: 70110FB5D002498FCB10CF9AC448ADEFBF4AB88324F14842AD458B7210C379A585CFA5

Function 06E576F0 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E5775A

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e33854b495e2ff704141d738f80fde38a359fb1680857bf19bcdc3dbdcb4ed40
Instruction ID: 5c5f61a10b4d0c14bb17c57964fed78bbe096092750ff719befcd709a5010c61
Opcode Fuzzy Hash: e33854b495e2ff704141d738f80fde38a359fb1680857bf19bcdc3dbdcb4ed40
Instruction Fuzzy Hash: F81143B59003498BCB14CFA9C5453DEBBF5AB88324F20882AC559A7250CB79A944CB94

Function 06E55FB0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E5A35D

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c5d1a424d1412cb207830c85a318c9bc8f43081ff8e390b87c3d61f0baf32475
Instruction ID: f2cc85309fdb6ad0f8177b2bb3263068be2f24ab2304bd966767f13f190320d6
Opcode Fuzzy Hash: c5d1a424d1412cb207830c85a318c9bc8f43081ff8e390b87c3d61f0baf32475
Instruction Fuzzy Hash: C11103B5800348DFDB10DF9AD989BDEBBF8EB48324F10845AE958A7210D375A944CFA5

Function 06E5A2F8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E5A35D

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7cc36fdac2f94474b03c0e6c8c7ef784d0a981a05e083087ef650eed78ccfa6b
Instruction ID: b3280fc29b2ecd421015e82811ff3d8ed9e85b4fc47cddb1ca07325137cd9241
Opcode Fuzzy Hash: 7cc36fdac2f94474b03c0e6c8c7ef784d0a981a05e083087ef650eed78ccfa6b
Instruction Fuzzy Hash: 5C1115B5800349CFDB14CF99D589BDEBBF5FB48314F20841AD968A7210C375A940CFA4

Function 009FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706644317.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0193a96f388592173f2ec0ef304f894ae0fef7fb7817df19612330579cfff041
Instruction ID: 34205300065a2a1a1ae4acb017c5f719685a29f154f39ba631459ad80dc0d3ee
Opcode Fuzzy Hash: 0193a96f388592173f2ec0ef304f894ae0fef7fb7817df19612330579cfff041
Instruction Fuzzy Hash: 5F213A71501208DFDB05DF14D9C4B36BF6AFB94324F20C569DA094B2A6C33AE856C7A2

Function 00A0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706729767.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c8c6868854d2339d7aff8238870083d4115294cdd5bafc629f0e7fcc1747b3
Instruction ID: 7b796d719e07c6246e563e06aee805409ed654d0a0b7319fb3b7afefe82fe8ae
Opcode Fuzzy Hash: d9c8c6868854d2339d7aff8238870083d4115294cdd5bafc629f0e7fcc1747b3
Instruction Fuzzy Hash: FC210472504208EFDB05DF94E9C0B66BBA5FB88314F20C66DE8094B296C336D846CA61

Function 00A0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706729767.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2e9a249b27cce4d63a1f4464fd6e7168a81799ef62bdec5fef08a233c6ea78
Instruction ID: 93fb4f283dee840b337c50c4c9e690e6bf98c8133b405ce3d71f31c8c6a0c37f
Opcode Fuzzy Hash: 7c2e9a249b27cce4d63a1f4464fd6e7168a81799ef62bdec5fef08a233c6ea78
Instruction Fuzzy Hash: B821F272604208EFDB14DF54E984B26BFA5FB84314F20C569D84E4B296C33AD847CA61

Function 00A0D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706729767.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3772ca5fa30dbdf16049056414a17902eaabe77c7a20551a5a4e11924bf25be2
Instruction ID: c63003ccbc24b95458d0cfdfee208dd74ad38dfd1a95a87433ecc9020c0e3792
Opcode Fuzzy Hash: 3772ca5fa30dbdf16049056414a17902eaabe77c7a20551a5a4e11924bf25be2
Instruction Fuzzy Hash: 9621A1765093848FCB02CF24D994715BF71EB46314F28C5DAD8498B6A7C33A980ACB62

Function 009FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706644317.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: b38dbc54f26123447e69e2737cb0b4992cb26f232b7b02fe039b4f56c4bfe843
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9E112672404244CFDB02CF00D5C4B26BF72FB94324F24C2A9DD090B666C33AE85ACBA2

Function 00A0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706729767.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b6471e28803d09f6feb110c8383b47adc558274b7172f30b7fc6226815146d53
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F011BB76504284DFCB02CF54D5C4B55BBA1FB88314F24C6AAD8494B696C33AD80ACB61

Function 009FD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706644317.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4b54ec43438eb4f22beb1910798a56348b4409e5d0a63adcc8a88234627361
Instruction ID: 4bf7ad468f2fc4b8b8534f21a31a4f34f915c706706287c57f3a8453bed3b319
Opcode Fuzzy Hash: 3f4b54ec43438eb4f22beb1910798a56348b4409e5d0a63adcc8a88234627361
Instruction Fuzzy Hash: BE01A7B110A3489AE7106A25CDC4777FFDDEF51324F18C92AEE194E29AC2799840C771

Function 009FD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706644317.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4ff75bbadd6b9704945baaa9cf1feeab71acfd5cb29d21a4d785abafdb6835
Instruction ID: 3ae01bf7a502176649a9bbabbe575eb8690a797c8bd9bb481655b178ad2e61cc
Opcode Fuzzy Hash: 3b4ff75bbadd6b9704945baaa9cf1feeab71acfd5cb29d21a4d785abafdb6835
Instruction Fuzzy Hash: 51F06271405344AEE7109A16DCC4B62FFACEF51724F18C45AEE084F29AC2799844CBB1

Non-executed Functions

Function 04CA6BD1 Relevance: 5.4, Strings: 4, Instructions: 359COMMON

Download Yara Rule

Strings

O, xrefs: 04CA7219
&, xrefs: 04CA72C8
7, xrefs: 04CA717A
&, xrefs: 04CA7407

Memory Dump Source

Source File: 00000000.00000002.1712783779.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: &$&$7$O
API String ID: 0-4198643847
Opcode ID: 7648d9f9235295c6a4e484dc463b1ee4d409dd1a146df960bb34704c2e0291c9
Instruction ID: cd884e05aa307374cb13d53f64ac66387d5714055e046400a42cb1b23ce891f9
Opcode Fuzzy Hash: 7648d9f9235295c6a4e484dc463b1ee4d409dd1a146df960bb34704c2e0291c9
Instruction Fuzzy Hash: 2AF14C30A10B06CFD715EF74C854A9AB3B2BFC6308F258699D0596B360EB71B995CB81

Function 06E56ED0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

-Eg0, xrefs: 06E56F2B

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: -Eg0
API String ID: 0-153627160
Opcode ID: 3a2c92e7355131767dd1b65c5d67dc85e98e382d244574621c2372351248dba7
Instruction ID: e0711625c20f2cedf46ac525fbd8bb70021bee12dbd5c200b2e3b51d480558bf
Opcode Fuzzy Hash: 3a2c92e7355131767dd1b65c5d67dc85e98e382d244574621c2372351248dba7
Instruction Fuzzy Hash: CCE11B74E102198FCB14DFA9C5809AEFBF2BF89305F25D15AE814AB356DB31A941CF60

Function 04CA0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712783779.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61e9f7f6e98349b81691884068b6bbe9e13d3c7625020bcd65502b908978320
Instruction ID: 69c18ca168b56f295fab4a108a33378180cec9bff64781cfdf4fa7f4739e7d79
Opcode Fuzzy Hash: e61e9f7f6e98349b81691884068b6bbe9e13d3c7625020bcd65502b908978320
Instruction Fuzzy Hash: 691297B0C917468AD318CF6EE98D1897BB1BFC5318BD0CA09D2A52B6E1D7B4116ACF44

Function 06E54FB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc7a98fe3c11e88aee71bd7ffa8974e5786647358c313f893e0ddce59072b76
Instruction ID: e53159e268875be5b57cce009469c5d3f7667d3af66b3d72e6f9efc071a24a96
Opcode Fuzzy Hash: 4fc7a98fe3c11e88aee71bd7ffa8974e5786647358c313f893e0ddce59072b76
Instruction Fuzzy Hash: 2CE10B74E102598FCB14DFA9C5809AEFBF2BF89305F25D169D814AB356DB30A941CFA0

Function 06E56A98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aae536f520305684b23e1ce3b4a67886df3ffce7e55d926792f0cbc05d2ce19
Instruction ID: d3c414909caae2a64d7ba2996dcfc5d17d1bd813c01bff9a0f05f7960c2f5da4
Opcode Fuzzy Hash: 9aae536f520305684b23e1ce3b4a67886df3ffce7e55d926792f0cbc05d2ce19
Instruction Fuzzy Hash: 01E1F974E002598FCB54DFA9C5809AEBBF2FF89305F25D159E814AB356DB30A941CFA0

Function 06E553F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5a56939d301e722648a5ea1da4c5ef81e21f651b71697ea51cef1f8e3e92f1
Instruction ID: dd7dd0db1329cbae2303bcb193a2b4e923ea9e2a9799fb3ae01889d34c2b5f62
Opcode Fuzzy Hash: 6d5a56939d301e722648a5ea1da4c5ef81e21f651b71697ea51cef1f8e3e92f1
Instruction Fuzzy Hash: 18E11874E102598FCB14DFA9C5809AEFBF2BF88305F25D169E815AB356DB30A941CF60

Function 06E54B80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab7edca806801eda65346c29c610c66d8dfa477f834f9ce5f7a362220d47429
Instruction ID: 71371462827a9c7207386931be1b35a74401d941284c0bbd9d123eb547725096
Opcode Fuzzy Hash: dab7edca806801eda65346c29c610c66d8dfa477f834f9ce5f7a362220d47429
Instruction Fuzzy Hash: 84E1F974E002198FDB54DFA9C5809AEFBF2BF88305F25D159E814AB355DB30A981CF61

Function 00E3D51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707578148.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a83cecd93c24c79d158aad484d69829109bc722281bdf7a0f7f25af41e49e18
Instruction ID: cf4b7090921a172726589254c8b1d4391e8ab3076f76bb42af6b9535609dd299
Opcode Fuzzy Hash: 3a83cecd93c24c79d158aad484d69829109bc722281bdf7a0f7f25af41e49e18
Instruction Fuzzy Hash: 4BA16B32E102099FCF15DFA4D94489EBBB2FF85304B1595BAE801BB262DB71ED15CB40

Function 04CA003F Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712783779.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ca0000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5472d486cd1369278c51ae1e6fac73cf7c78f57c580a6145154cd299350825
Instruction ID: 7d753ef7df9056264a6d8336ef5a5d506646b486db786ae695d7221ddbfa903f
Opcode Fuzzy Hash: bc5472d486cd1369278c51ae1e6fac73cf7c78f57c580a6145154cd299350825
Instruction Fuzzy Hash: D2C1E9B0C917468AD718CF6EE8891897BB1FFC5318F90CB09D1A16B6E0DBB4156ACF44

Function 06E54FA7 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3f596bcfbd099e93cc1b061f8ddfb6e9935d96de5d41a5eb46bffb3d7556d8
Instruction ID: 9fa788b3e06fc9b467d21e5393ce7975701476923f6499bba769b1416e54c4ec
Opcode Fuzzy Hash: 3d3f596bcfbd099e93cc1b061f8ddfb6e9935d96de5d41a5eb46bffb3d7556d8
Instruction Fuzzy Hash: BA611A74E002198FCB14DFA9D5809AEFBF2EF89304F25D16AD818AB355D734A941CFA1

Function 06E56A88 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714378269.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e50000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff7d289e6868845682c038a78237c2ed1b5e917f75a2ecc3df7c025030d2863
Instruction ID: 44bcccf422dd979e506b464d3f1d38f678a84a62c0adf5c98a72e32b3bfafe5c
Opcode Fuzzy Hash: aff7d289e6868845682c038a78237c2ed1b5e917f75a2ecc3df7c025030d2863
Instruction Fuzzy Hash: AC514E75E002198FDB54DFA9C5405AEFBF2FF89304F25D16AD818AB226DB309942CF51

Analysis Process: Quote GVSE24-00815.exePID: 3732, Parent PID: 6260COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	21

Executed Functions

Function 06A23148 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2386B
$^q, xrefs: 06A23877
$^q, xrefs: 06A23853
$^q, xrefs: 06A2381E
$^q, xrefs: 06A23847
$^q, xrefs: 06A2382A

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 2e336f38ce227f6fd992ce71a30edbb6c451818630f9f7a0780c9bcae0b32790
Instruction ID: 8ce8ec2ff6eb90df637d359dc4eecd56a82a597429d2c58c7a45fb110db19797
Opcode Fuzzy Hash: 2e336f38ce227f6fd992ce71a30edbb6c451818630f9f7a0780c9bcae0b32790
Instruction Fuzzy Hash: ED322031E5071A8FCF14EF79C89459DB7B6FF89300F1086A9D409AB265EB309986CB91

Function 06A27E50 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A281BF
$^q, xrefs: 06A281B3

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: ceec33edfc2fdda32bb1593c4eee3578fbb98a812456288fc71e3fd475a9e9fd
Instruction ID: 95521f83eb7ad51c9e20f48603b619632789eec1db0cc8d5e7d29aa1aba3fa6f
Opcode Fuzzy Hash: ceec33edfc2fdda32bb1593c4eee3578fbb98a812456288fc71e3fd475a9e9fd
Instruction Fuzzy Hash: 0202CE30B502268FDB14EB69D9806AEB7F2FF84304F148569E419DB394DB35EC86CB91

Function 06A25680 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

$, xrefs: 06A25A0F

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: e10065ff168c07e15dabd576fb7681d2962e9fd48b50698b812e4e681c3b479a
Instruction ID: c7846b16cdad95938158efd3e0002483d7312fd62e01697a9e74f53f31796708
Opcode Fuzzy Hash: e10065ff168c07e15dabd576fb7681d2962e9fd48b50698b812e4e681c3b479a
Instruction Fuzzy Hash: 3422D275E502269FDF64EBA8C4846AEB7B2FF85324F208469D449AF344D731DC41CB91

Function 02D071D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02D0724F

Memory Dump Source

Source File: 00000004.00000002.4138894271.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d00000_Quote GVSE24-00815.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3e4cddf66bb02443eac9b0081294e5ecc2491cd2454baa84c981dfcb56c16a4c
Instruction ID: ef676bf8116dd6ccc5e196fb793419e1a5beaf8ae878cad070253af62213a884
Opcode Fuzzy Hash: 3e4cddf66bb02443eac9b0081294e5ecc2491cd2454baa84c981dfcb56c16a4c
Instruction Fuzzy Hash: 3B2148B1800259CFDB10CFAAC484BEEFBF4AF49320F14846AE459A7350D738A944CF61

Function 06A266C8 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd720cfcc2ce9da9618cea5478c3bc665b3848a075b56b1a411c79a14423172
Instruction ID: f4f5e6abe4dcf272711f9febc0f80e15b5ef29af99475eb37ba286163e0d8623
Opcode Fuzzy Hash: dcd720cfcc2ce9da9618cea5478c3bc665b3848a075b56b1a411c79a14423172
Instruction Fuzzy Hash: F862AE30B512268FDB54EB68D584AAEB7F2FF88304F148469E409DB395DB31ED46CB90

Function 06A2C240 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88986581d46d122d815f8fbeceb24526ac7badd85ccaeebbc9b779fc81491852
Instruction ID: a21b03175247f58aef14d3798aedb2248ae71b80109d3df3474897943076032e
Opcode Fuzzy Hash: 88986581d46d122d815f8fbeceb24526ac7badd85ccaeebbc9b779fc81491852
Instruction Fuzzy Hash: D6328F30B402269FDF94EB6DD990BAEB7B2FB88360F108525E406DB355DB35DC428B91

Function 06A2B2F9 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b090602b0815469f1a17de6cbb26881a262de31136556acb65dd7d24defdf09
Instruction ID: 5b063c0a638e7fe554f743c99943a4a3e6d6574bb62b0e76257685ff91256c41
Opcode Fuzzy Hash: 5b090602b0815469f1a17de6cbb26881a262de31136556acb65dd7d24defdf09
Instruction Fuzzy Hash: 96226F30E5011A8FEF64EB6DD5807AEB7B2FB85314F208925E409EB391DB35DC818B61

Function 06A2ADA0 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2AF43
$^q, xrefs: 06A2AF14
$^q, xrefs: 06A2AECD
$^q, xrefs: 06A2AF20
$^q, xrefs: 06A2AEC1
$^q, xrefs: 06A2AF4F
$^q, xrefs: 06A2AF6C
$^q, xrefs: 06A2AF78

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 016dcbf348b9618e3f22bf5efc2869dac17008a9dc69c1a55c7b0f77e72e5fa3
Instruction ID: 22091e7d41de9090f24727dd9d44e9bfc57e28f9b14eaaafb259e1a4adb998df
Opcode Fuzzy Hash: 016dcbf348b9618e3f22bf5efc2869dac17008a9dc69c1a55c7b0f77e72e5fa3
Instruction Fuzzy Hash: 27E18D30E5022A8FDB69EFA9D5806AEB7B2FF85304F208529D505EB354DB34DC46CB91

Function 06A2B710 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2BC99
$^q, xrefs: 06A2BC8D
$^q, xrefs: 06A2BC65
$^q, xrefs: 06A2BCC1
$^q, xrefs: 06A2BCCD
$^q, xrefs: 06A2BC59

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 4509db13554775e6d5714d475053413a3bea418e1a78fbffb65a4b0880858902
Instruction ID: 05294f3bbc45ca6c21a3dc472ab143571590a6d93b9910e7cb7c29b5082a4209
Opcode Fuzzy Hash: 4509db13554775e6d5714d475053413a3bea418e1a78fbffb65a4b0880858902
Instruction Fuzzy Hash: E6026E30E5022A8FDB64EF6CD5806ADB7B2FB85718F10892AD405DF255DB30EC85CBA1

Function 06A29228 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A292B6
$^q, xrefs: 06A2927B
$^q, xrefs: 06A2926F
$^q, xrefs: 06A292AA

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: e94d2834089825b2b5f098f26dd13714844aeb99fe9c5db1c74e17b63a9a4cfa
Instruction ID: c283d4ac4148a741dbb7c68b4dfe2c533d59fea260187a98e4a37bd849fe2d38
Opcode Fuzzy Hash: e94d2834089825b2b5f098f26dd13714844aeb99fe9c5db1c74e17b63a9a4cfa
Instruction Fuzzy Hash: 5D914230B1022A9FDB54EF6AD9507AFB3F6AB85704F108569D409EB384EB70DC468B91

Function 06A2CFF8 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2D3F7
$^q, xrefs: 06A2D3EF
$^q, xrefs: 06A2D403

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: fe7c982ecf4d3f8023d266b73a2257d23548320001e9041940bc658bc43aef20
Instruction ID: cbdeeaf2856adc4cda575b810ac9403bc126edee97df20056702bf00e670a5ee
Opcode Fuzzy Hash: fe7c982ecf4d3f8023d266b73a2257d23548320001e9041940bc658bc43aef20
Instruction Fuzzy Hash: 12623430A4021A9FCB55EF69D590A5EB7F2FF84344F108A69D0099F369DB71ED4ACB80

Function 06A24C50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06A24DA1
fcq, xrefs: 06A24C7B
\Ocq, xrefs: 06A24E2B

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: cb000bdd143e723b37aebb688894315a7c7fc0f2cf6c9078989c9c42c742f3d4
Instruction ID: 67a7a113e134e5128cba65310c13721d9728a20493e35164792c31a3e01fb6fa
Opcode Fuzzy Hash: cb000bdd143e723b37aebb688894315a7c7fc0f2cf6c9078989c9c42c742f3d4
Instruction Fuzzy Hash: A0617030F502199FEF54EFA9C8547AEBBF6FB88700F208529D106AB395DB708C459B91

Function 06A2A47A Relevance: 2.7, Strings: 2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x!@, xrefs: 06A2A53F
X!@, xrefs: 06A2A51E

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: aaa70592c54acefc2e5f5992b23af5e40f8c1366cd1df6e4aec7d232ada08592
Instruction ID: ff0ab8d6bb663037d7a74af13216a9ef23707bf51e145979af50a8d415e84d1c
Opcode Fuzzy Hash: aaa70592c54acefc2e5f5992b23af5e40f8c1366cd1df6e4aec7d232ada08592
Instruction Fuzzy Hash: 3F819031B102169FCB55EB6CD88069EB7B6FB88310F108979E50AEB754DB31DC46CB90

Function 06A29218 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2926F
$^q, xrefs: 06A292AA

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 57e16a049f56fcff7332a1c2849bf0ed0e4f4703fcb6a435ffcc641993a02b5a
Instruction ID: 7c4f0e22589515c40acad304f9fa58e063ce71a8d52031ce3bd35e73f2d53e0f
Opcode Fuzzy Hash: 57e16a049f56fcff7332a1c2849bf0ed0e4f4703fcb6a435ffcc641993a02b5a
Instruction Fuzzy Hash: E1514E30B1011A9FDB54EB6AD990BAFB3F6AB88704F108569D409DB385EB30DC438B91

Function 06A24C40 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06A24DA1
fcq, xrefs: 06A24C7B

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: ce1c6083ec6e6bf5572e964be40528a598bac76d2df536f740cecf56e8490038
Instruction ID: 15334c5c7e65f6b8c52f8c9ed9dac717bc6c471fe40e994b49725dce63e91ac4
Opcode Fuzzy Hash: ce1c6083ec6e6bf5572e964be40528a598bac76d2df536f740cecf56e8490038
Instruction Fuzzy Hash: 4F516270B102199FEB55DFA9C8547AEBAF6FF88700F208529E105AB395DB708C059B91

Function 069C2F57 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C3072

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8feb77dde7052be332e40c8a29045e43d285404240234dc046d65ed71ef03402
Instruction ID: 287590f51616a49bd74ca3c476e79c5818b2ee7eb0716493796d1d429431267b
Opcode Fuzzy Hash: 8feb77dde7052be332e40c8a29045e43d285404240234dc046d65ed71ef03402
Instruction Fuzzy Hash: B051E1B1D00209EFDF15CFA9C984ADEBBB5FF49310F24812AE418AB224D7719945CF92

Function 02D0F2B8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4138894271.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d00000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368207f7d6bf404f22f8eae1cc60d1ac997c7742be7411277c093fcb12bbfb56
Instruction ID: 258b339afcf8274dceef2a0a992c594ec2d01b203d7879ec88eb9e317b826267
Opcode Fuzzy Hash: 368207f7d6bf404f22f8eae1cc60d1ac997c7742be7411277c093fcb12bbfb56
Instruction Fuzzy Hash: A5413472D043968FCB10CFB9D8042EEBFF1AF89210F1485AAE444A7790DB389841CBE1

Function 069C2F60 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C3072

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c6f37fa1dbd5133f9a93206f333f47048b1d9920b5996484e5912cb4a65f2ded
Instruction ID: 75231b853da6c4b7cfb6f060c8b711a83ba492dba42ee0572e2a110a37a1b41b
Opcode Fuzzy Hash: c6f37fa1dbd5133f9a93206f333f47048b1d9920b5996484e5912cb4a65f2ded
Instruction Fuzzy Hash: 6541C0B1D00309DFDB14CF99C884ADEBBB5BF48310F24852AE819AB250D771A985CF91

Function 069C670C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 069C7AF1

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 51e683a15b29d22433d5c9f11db42c34602502e9d7fa33108262b081e0d3ac89
Instruction ID: 3839890473e34e46b1f4bbafd906e33bfd9dd5730ce76340b455c52014f15231
Opcode Fuzzy Hash: 51e683a15b29d22433d5c9f11db42c34602502e9d7fa33108262b081e0d3ac89
Instruction Fuzzy Hash: 0F411CB4900305CFDB54CF99C888AAABBF5FB88324F24C85DD519AB721D774A941CFA1

Function 069C8775 Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069C8808

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: a697c5a4df367bfa53c112c8c3e52b5673c95ac075c26c1a4fc443eeea0d4d77
Instruction ID: 377cb4fb6e059511bc7fd97cc310dd81fdc9cba988c485ee17b4f42a3edb358d
Opcode Fuzzy Hash: a697c5a4df367bfa53c112c8c3e52b5673c95ac075c26c1a4fc443eeea0d4d77
Instruction Fuzzy Hash: 7D3110B0D01208EFDB20CF99C984BCEBFF5AB48314F208419E405BB694DB75A845CBA2

Function 069C8120 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069C8808

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: fb4672b50b25316d06b891c9826057d463f3eb9c196b68b8bf60d7a2d9680f25
Instruction ID: 998a83b00738a18bd56e4ce0eab921dbad5f545539cc41a84d6aa258aac794a6
Opcode Fuzzy Hash: fb4672b50b25316d06b891c9826057d463f3eb9c196b68b8bf60d7a2d9680f25
Instruction Fuzzy Hash: 363102B0D01208EFDB50DF99C984BCEBFF5AB48314F248059E404BB794DB74A945CBA6

Function 02D071D0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02D0724F

Memory Dump Source

Source File: 00000004.00000002.4138894271.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d00000_Quote GVSE24-00815.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 5edfdbc2b02ba27943fbe1b09dcb42f54bf5775ff49d7acd72e43aad751aa1b8
Instruction ID: 4f66df26943d12bd934b3e7c1e8a819ceb65f5ea2b1af17c23b399cd7a020100
Opcode Fuzzy Hash: 5edfdbc2b02ba27943fbe1b09dcb42f54bf5775ff49d7acd72e43aad751aa1b8
Instruction Fuzzy Hash: B32125B1800259CFDB10CFAAD484BEEBBF4AF49320F14846AE459A7351D738A944CF61

Function 069C6B98 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069C6C27

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62b8edd65f393fc897c95c198c5b0c693a32c9656bc57b6b31ce5e36e125f5cf
Instruction ID: 20d39f1dd10136969113af8cce41a91438ffcfaf963c45fb7e5de0d3a6e60810
Opcode Fuzzy Hash: 62b8edd65f393fc897c95c198c5b0c693a32c9656bc57b6b31ce5e36e125f5cf
Instruction Fuzzy Hash: 7621E5B5900258DFDB10CFAAD985ADEBFF8EB48320F14841AE954A3310D378A940CFA5

Function 069C6BA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069C6C27

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 58901af36c30ae6dc83e7ccf1f988b803400ae8aaa1acc1809d1b36f69d37481
Instruction ID: f0267e00efeacb761be906b2a6d12c5698ab877473ca5c07df70cc48eb17346c
Opcode Fuzzy Hash: 58901af36c30ae6dc83e7ccf1f988b803400ae8aaa1acc1809d1b36f69d37481
Instruction Fuzzy Hash: 6E21E4B5900208DFDB10CF9AD984ADEBFF8EB48320F14841AE914A3310C374A940CFA5

Function 069CA166 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069CA1E3

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6bab9f474c752c3ece9db01bce96a6a23a0444793222fcb932643895e0d2fae3
Instruction ID: 4f3faf5344e4a603af18ab8e4d16a6a07577713497b1bbd9497e0eabef2f4f56
Opcode Fuzzy Hash: 6bab9f474c752c3ece9db01bce96a6a23a0444793222fcb932643895e0d2fae3
Instruction Fuzzy Hash: 2421F4B5D002099FCB54DF9AD844BEEFBF5AB88320F10842AE459A7250C774A944CFA5

Function 069CA168 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069CA1E3

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 1202be0c36bbbd77da6e1136280a66691c398afd0877d17862b8f0405bb58272
Instruction ID: 31789a89c6391ab3edfa1032c9d8f3c8a4b8509b521ec204da8d29ad46582203
Opcode Fuzzy Hash: 1202be0c36bbbd77da6e1136280a66691c398afd0877d17862b8f0405bb58272
Instruction Fuzzy Hash: 6121F4B5D002099FCB54DF9AD844BEEFBF5AB88320F10842AE459A7250C774A944CFA5

Function 02D0F3A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 02D0F407

Memory Dump Source

Source File: 00000004.00000002.4138894271.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d00000_Quote GVSE24-00815.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2a171487660a114ca92ee529f654fcabef16de1531361c9905a9ed9a4478c5c5
Instruction ID: 86fdab4762023c255308b7744c8449dc61e250f6134be80af397aaa9132dc75c
Opcode Fuzzy Hash: 2a171487660a114ca92ee529f654fcabef16de1531361c9905a9ed9a4478c5c5
Instruction Fuzzy Hash: 131112B1C006599FCB10CF9AD544BDEFBF4BB48320F20816AD818A7351D778A940CFA5

Function 069C0424 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 069C1B16

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bd781fca6731d1a8cd0541a23396786985b03b9b722b57281625f4161227ec98
Instruction ID: d5356c17b7d15405abe2a6c18c15cfc6302e5cf6ec3aa7ffcdfec1dbbb64f665
Opcode Fuzzy Hash: bd781fca6731d1a8cd0541a23396786985b03b9b722b57281625f4161227ec98
Instruction Fuzzy Hash: F41132B5C003488FCB10CF9AC444BDEFBF4EB88220F10842AD819B7611D374A545CFA5

Function 069C1AAB Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 069C1B16

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f2bb449716485bc1b51171c715bebbd2ac44c3ffc0c85f99717ac361f8fb7c02
Instruction ID: f2c349e65882a9d2437e09a012c69f64a94a08f55379e58e0a02c1ec7ebd0ec1
Opcode Fuzzy Hash: f2bb449716485bc1b51171c715bebbd2ac44c3ffc0c85f99717ac361f8fb7c02
Instruction Fuzzy Hash: 8B1132B6C007498FCB10CFAAC844ACEFBF8AB89220F10841AD469B7611D374A545CFA5

Function 069C6764 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C7D45), ref: 069C7DCF

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e1cb1606575adfc7c3d986514901d5af2cf28eeec2ec4b993ae13d93ae3bfb7
Instruction ID: f903e15b3f9c51d676d0a235fb17fe7507bb746454e63f71db05c2535fed5346
Opcode Fuzzy Hash: 6e1cb1606575adfc7c3d986514901d5af2cf28eeec2ec4b993ae13d93ae3bfb7
Instruction Fuzzy Hash: 051103B1800748CFDB60DF9AC489BEEFBF4EB48324F20845AD559A7650C375A944CFA5

Function 069C693C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069C868D

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5962e23e86b97c993a0fb4c2176f519da4a87c28265916dcc5c4b82733899455
Instruction ID: 9ef23011b2da76f75415b9559bec90ba219d286ecba839e959732d597c292a52
Opcode Fuzzy Hash: 5962e23e86b97c993a0fb4c2176f519da4a87c28265916dcc5c4b82733899455
Instruction Fuzzy Hash: 681103B19007488FDB20DF9AD649BDEBFF4EB48324F208459D519A7610C375A944CFA5

Function 069C8631 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069C868D

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6595f13211c4d5aea87dad0ba963b439abf2735d60e8b8758bd493f4de46058f
Instruction ID: 4f61e6959b6abf1f8551c3014224cef478b71cc7497e9a8d43994019c447484a
Opcode Fuzzy Hash: 6595f13211c4d5aea87dad0ba963b439abf2735d60e8b8758bd493f4de46058f
Instruction Fuzzy Hash: 771145B59003488FCB20DFAAD549BCEFFF8EB48320F20841AE559A3610C334A540CFA5

Function 069C7D68 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C7D45), ref: 069C7DCF

Memory Dump Source

Source File: 00000004.00000002.4143361828.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_Quote GVSE24-00815.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3f30cdd33048d23f46223ca7cea410d5f61ac44b6739e8656cee658198fec469
Instruction ID: fa8b8a4c79d178617468062ca826e0af8d6be96093c3e518ef0bbeeb4489d3ab
Opcode Fuzzy Hash: 3f30cdd33048d23f46223ca7cea410d5f61ac44b6739e8656cee658198fec469
Instruction Fuzzy Hash: 9B1112B1C00248CFDB20DF99D888BEEFBF4EB88324F20841AD559A7650C775A944CFA5

Function 06A2DB6D Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A2DCC9

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 3562ca9e5c055053cbbbdede86c4dce9090ae898018ba83436027503166eba8f
Instruction ID: 25ca8659843ac0d17929dd825f7f60b5782bccabd4840293948e5db1d028a44f
Opcode Fuzzy Hash: 3562ca9e5c055053cbbbdede86c4dce9090ae898018ba83436027503166eba8f
Instruction Fuzzy Hash: 3941B270E4021A9FDB55FFB9C95469FBBB2BF85700F20452AD401EB241DBB0E846CB81

Function 06A222A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A223E3

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: b2cc0ca0227e50dff7f2569ce3fb757df41f60c2e530bccd5bebf85969e4ef4d
Instruction ID: 8e408186ef6cee521a7f8470e2c6fc7789b37293551ec8f332c4efa48037a82b
Opcode Fuzzy Hash: b2cc0ca0227e50dff7f2569ce3fb757df41f60c2e530bccd5bebf85969e4ef4d
Instruction Fuzzy Hash: 5931CF30B502128FDB59AB78C5547AFBBE6BB89300F104928D406DB385EF35DD46CBA1

Function 06A24B39 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06A24B45

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: eaa272b9605cfeecf3920ec041b2c32c4722d29089d6be08bf4663e1292ebb1f
Instruction ID: 67d76f912f5a31d7f214c29a59ef998942df8e23fdbb3799f946627cdb216659
Opcode Fuzzy Hash: eaa272b9605cfeecf3920ec041b2c32c4722d29089d6be08bf4663e1292ebb1f
Instruction Fuzzy Hash: 27F0DA30E5022ADBDB54EF98E8597AEBBB2FF88700F204519E402A7294CB701C05CFC0

Function 06A22BC1 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692262bdfa0179de641b8a16303a51ea56277d4c6d899ba571ea838022941606
Instruction ID: 7006d716f29b6207a1917ecc9719e9ba4fd9e782c28ef811b67c2b7f1f5aa702
Opcode Fuzzy Hash: 692262bdfa0179de641b8a16303a51ea56277d4c6d899ba571ea838022941606
Instruction Fuzzy Hash: 04026534A002258FCB64EB68C544A9DB7F2FF45310F55C4A9D80AAF365DB35ED85CB90

Function 06A24318 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ee8d7e213fa8c5b38414961f77c95c83dd84dcae2a56d133c6d311c79b6219
Instruction ID: 20581970f04d400334cd8c4b6121e8d32a64b5eb8bc2300d97470cd94e285bd9
Opcode Fuzzy Hash: f2ee8d7e213fa8c5b38414961f77c95c83dd84dcae2a56d133c6d311c79b6219
Instruction Fuzzy Hash: D6A19030B052668FDF45EF78C86069E7BF2EF8A300F144166D44ADF296DA34DC4687A1

Function 06A262C0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f538772640f4bdc16cb24c2c7ba5d3f7638a28eca12f94b74634b99629a0dae
Instruction ID: dc11a206fe5a076bfa29f68fd3d9efff5db04d18495cdc24634bd8aeb1d4f9e4
Opcode Fuzzy Hash: 4f538772640f4bdc16cb24c2c7ba5d3f7638a28eca12f94b74634b99629a0dae
Instruction Fuzzy Hash: DB61C171F411224FCB50AB7EC89466FEAD7AFC4620B25443AD80EDB360DE65DD0287C2

Function 06A246A4 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a61b0a2575676f2862c800b7c5170493b84f660c7e37cbc8fc93528fa687c1
Instruction ID: 12c19916e1fa294cb7df0cecbf8832deef96cc1760059bd2cf122a4b0e122c00
Opcode Fuzzy Hash: f2a61b0a2575676f2862c800b7c5170493b84f660c7e37cbc8fc93528fa687c1
Instruction Fuzzy Hash: 2A913D34E1061A8BDF60DF68C890B9DB7B1FF89300F208699D549AB355DB70A985CF91

Function 06A246B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde6b5a4a1f9a3e76589540b25f539b4a9cc25a6daaf32be25bbb22be1a2115b
Instruction ID: 8c1123d9fe39310064da468ed686c66a741448232c85df3483d5e40f07c73441
Opcode Fuzzy Hash: fde6b5a4a1f9a3e76589540b25f539b4a9cc25a6daaf32be25bbb22be1a2115b
Instruction Fuzzy Hash: 65913D34E1061A8BDF60DF68C880B9DB7B1FF89300F208699D559AB355DB70AE85CF91

Function 06A2EBB9 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec400788f548669d1c82b54857641781badb4540e2a79cd381d87806c17b9012
Instruction ID: bf7a41c5624ccc09aa6c5b8ea14ccdef92880327f3aaf63f88f862ffa1362df3
Opcode Fuzzy Hash: ec400788f548669d1c82b54857641781badb4540e2a79cd381d87806c17b9012
Instruction Fuzzy Hash: 57713E30A4121A9FDB55EFA9D980A9EBBF6FF88300F148569D409DB355DB30EC86CB50

Function 06A2EBC8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1f88e2003ac4583e0a99d8a3c7b62830bbe848498de01fb8d590fe5165978e
Instruction ID: 37faa23fbb48244ba76979104b2272c1372b37b96efe33da272bcab194078147
Opcode Fuzzy Hash: db1f88e2003ac4583e0a99d8a3c7b62830bbe848498de01fb8d590fe5165978e
Instruction Fuzzy Hash: 26711E30A402199FDB54EFA9D980A9EBBF6FF84300F148569D409DB355DB30EC86CB51

Function 06A2FD20 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8b23782ac3b4f90a7bf6bd4d96a20d882def931d60ceb8ae25b93c83cc76ab
Instruction ID: fc518de79beaf42a6715a6d43af7593607ecbe0dfd91574ebe106f98b9dac594
Opcode Fuzzy Hash: 2c8b23782ac3b4f90a7bf6bd4d96a20d882def931d60ceb8ae25b93c83cc76ab
Instruction Fuzzy Hash: EF51D131E81116DFDF64EB7CE9446AEBBB2EF85314F108869E50ADB250DB319C55CB80

Function 06A2FAD3 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eec72817d0036430d203eea924e2b51aa43cc155d8e5ad5c5b09055a1caf78
Instruction ID: 8f86105402fac67fbd500a69084900ea2e22e3f67e33e9f4e74bf7e85d149bd2
Opcode Fuzzy Hash: a9eec72817d0036430d203eea924e2b51aa43cc155d8e5ad5c5b09055a1caf78
Instruction Fuzzy Hash: CE511A30B903258FEF64677CD99072F267BD789750F20492AE40ADB3E5C939CC4587A2

Function 06A2FAE0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44210bd6385e23a544bad5cefc62faff24aaacbd1f011abe22b8199647c44656
Instruction ID: 0e46f0a8b3f04a6f266716212c29369f85285023df940b3fe6a54b3ccb3cbc02
Opcode Fuzzy Hash: 44210bd6385e23a544bad5cefc62faff24aaacbd1f011abe22b8199647c44656
Instruction Fuzzy Hash: D7512930B903298FEF60776CD99072F266FD789750F20492AE40ADB3E5CA39CC4547A2

Function 06A22158 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc52ecea605ac04547c79b9f6830f7f7886295fd9995e5baf8f4759764b66226
Instruction ID: f31548268e20976973ea7655e2b616c7af2360d56d777bba4305026ed240cd68
Opcode Fuzzy Hash: bc52ecea605ac04547c79b9f6830f7f7886295fd9995e5baf8f4759764b66226
Instruction Fuzzy Hash: F2317030E102169BCB55DFA9D894A9EB7F2FF89300F108529E816EB750DB71ED42CB51

Function 06A22168 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a919af3fbe0bbeede3361b01d60a58e59e9b0ce34dec40f72dbaab9061e6e8ad
Instruction ID: ceb398b747cf1ed119d5be2a3922a1865988c191ac60c7d55779d544a050563d
Opcode Fuzzy Hash: a919af3fbe0bbeede3361b01d60a58e59e9b0ce34dec40f72dbaab9061e6e8ad
Instruction Fuzzy Hash: A9318030E102169BCF59DFA9D894A9EB7B2FF89300F108519E816EB750DB71ED46CB60

Function 06A2A3DA Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6dc6905ed63c92ac825d82af0c08f2d9fa5e67f4fbb850d25c69506645ff5b
Instruction ID: 0407b1ec8fea7e498f76ab0fce0cd6f3a64738e5baa774b8b8e9b81dde75d2ca
Opcode Fuzzy Hash: ee6dc6905ed63c92ac825d82af0c08f2d9fa5e67f4fbb850d25c69506645ff5b
Instruction Fuzzy Hash: D221D035B501225FDB50EB3CE8507AEB3E6EB45710F10897AE20ECB381EB20DC068791

Function 06A23B89 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd70e9756edd88b01a728f02d14fb2ec50eb04eb1d8efd1be27e5c4e6119bf0d
Instruction ID: 865069a4a1e7709c3e9687f31482aa956f46572ca0d605ce7ffa68cf8eb0086c
Opcode Fuzzy Hash: dd70e9756edd88b01a728f02d14fb2ec50eb04eb1d8efd1be27e5c4e6119bf0d
Instruction Fuzzy Hash: 08217C75F512269FDF41EF69D840BAEBBF6AB48710F108069E905E7382E734E9018B91

Function 06A23B98 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdac5e62d3a84006b9a5ce421592de6159aeb0fa6edfb5b45bf74a8b7f96eb6d
Instruction ID: 59b7f5189d1c4cdcfb30175d77a18713e811888f52f3391123958c00c0835101
Opcode Fuzzy Hash: cdac5e62d3a84006b9a5ce421592de6159aeb0fa6edfb5b45bf74a8b7f96eb6d
Instruction Fuzzy Hash: DA217C75F512269FDF40EF69D880AAEBBF1FB48710F108129E905E7341E734E9018B91

Function 02C3D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4138638566.0000000002C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c3d000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53db7b087db1c68e9f662246d417b8e478d62e66f8d61a71f4873d509763c5ba
Instruction ID: 0799dbe11328771e1149d75c1fd9c0b992f90b1c6c5bad85d2d8a25bfb560f15
Opcode Fuzzy Hash: 53db7b087db1c68e9f662246d417b8e478d62e66f8d61a71f4873d509763c5ba
Instruction Fuzzy Hash: 0A212671504304DFDB16DF14DAC0B26BBA5FB84714F24C96DE80B4B256C37AD447CAA2

Function 02C3D005 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4138638566.0000000002C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c3d000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8b8f7682266fc374f8dd208cb2df746ea35e1ae8615a452048688a486aba6c
Instruction ID: f24730845d532c712d299382b889395914d360cc56c774f19ffa0381c550567a
Opcode Fuzzy Hash: 6d8b8f7682266fc374f8dd208cb2df746ea35e1ae8615a452048688a486aba6c
Instruction Fuzzy Hash: 64212A7550D3C08FDB13CB24D990715BF71AB86214F29C5DBD8898F6A7C33A984ACB62

Function 06A23CA8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec8c9364ef4e668750408d238830f52279afa776b79fd2dffd27f521ef2bccd
Instruction ID: 42eada21ebc22792ab3e59ca67e36dd06b96f7eada992ba75679f9e0e9b4375d
Opcode Fuzzy Hash: 4ec8c9364ef4e668750408d238830f52279afa776b79fd2dffd27f521ef2bccd
Instruction Fuzzy Hash: CD118E32B101255FDF94A679C814AAE73EAABC9710B00493AD50AEB344DF259C028BE1

Function 06A2EE38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968454560c923d2a0d37566e090119a34453f563523fbae7712743eba3212016
Instruction ID: 18b6373438c647775def7afb98e8c2b59185d09a140acca7bc5b0e4ddf9ed438
Opcode Fuzzy Hash: 968454560c923d2a0d37566e090119a34453f563523fbae7712743eba3212016
Instruction Fuzzy Hash: B9018431B541212BDB61A62EA854B2F67DBEBCBA10F148C3AE10ACB340DE65DC464395

Function 06A23C99 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42412fcbf9f7c3f0cea9a03e955dc59f3aaef25a00eb38582932e3c8aeb91a07
Instruction ID: 920c3b62a36b861d995daaa74b2404c871a09e979d09526b671437ed5bf05027
Opcode Fuzzy Hash: 42412fcbf9f7c3f0cea9a03e955dc59f3aaef25a00eb38582932e3c8aeb91a07
Instruction Fuzzy Hash: 9901D432B240262BDF95A6799C10AEF77EF9BC9710F10453AE50AD7385DF64980347E2

Function 06A23EDF Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413ac368c4df30ef90fe219a2261d73a77ed6cd6fad2c3ff8c67aca917e3e8f8
Instruction ID: 372a987622dad3c496b614c1ad2868febc7a84aa55e5021661baa8af08da764c
Opcode Fuzzy Hash: 413ac368c4df30ef90fe219a2261d73a77ed6cd6fad2c3ff8c67aca917e3e8f8
Instruction Fuzzy Hash: 0901BC30B400215FDF60AA6DA81476BB3E6DBCA611F14883EE51ECB780EA69CC024395

Function 06A23961 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38214d98c97731bfc708c6e603ce1625b2ed6e07cced718736dbb8875afe9bcf
Instruction ID: 1277434ffe8eb2cc850c5b453ef60ca436d2b26765fe0ff70ce93b64e17d3e44
Opcode Fuzzy Hash: 38214d98c97731bfc708c6e603ce1625b2ed6e07cced718736dbb8875afe9bcf
Instruction Fuzzy Hash: 5721F2B1D01259EFCB10DF9AD885ADEFFB4BB49314F10812AE518A7200C378A550CFA5

Function 06A2C880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e697b3dc983462b2c51f54e9821533f150bac675e7e3cb6ecaab38042956ab8
Instruction ID: c5fec1be016ab37a51527770d9698eaf59c359ec241aa1de4605f498bf3c3a9b
Opcode Fuzzy Hash: 0e697b3dc983462b2c51f54e9821533f150bac675e7e3cb6ecaab38042956ab8
Instruction Fuzzy Hash: 6001FC31A512356BCF64AA79EC41BDF7776F785320F004539E506DB385DB31980587D0

Function 06A23968 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28355dbda99891f9960f068dd1938cbb470cc93a6e1b75e4626587d81cbc38ae
Instruction ID: d15b935c872bc59a02af50c72ae8ab5f004f0a725a74579f320af62ab28fc82b
Opcode Fuzzy Hash: 28355dbda99891f9960f068dd1938cbb470cc93a6e1b75e4626587d81cbc38ae
Instruction Fuzzy Hash: 5B11D0B1D01219EFCB10DF9AD885ADEFBB4FB49324F10812AE918A7200C374A954CFA5

Function 06A23EF0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183b10d3c53da5ebb307d5991a488bbc5c59ba75e6df7d2114cf74e3e773f656
Instruction ID: 40b5000530efa7f7185e8e6540638012c01d68d7f50cbf1c16747bb77e9f8b66
Opcode Fuzzy Hash: 183b10d3c53da5ebb307d5991a488bbc5c59ba75e6df7d2114cf74e3e773f656
Instruction Fuzzy Hash: 6A018131B100221BDF64A66EA454B2FB3EADBCAB14F10883DE51ECB744EE69DC024395

Function 06A2EE48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef6d60923be8fd1e2925a7896fa22588c3a296c962df58bf7d0d47f6d0cc5e1
Instruction ID: b3435e718cca00aae406ee36a7526a1c3b7feb9e8f46b97f4e231a8559cc14fe
Opcode Fuzzy Hash: 9ef6d60923be8fd1e2925a7896fa22588c3a296c962df58bf7d0d47f6d0cc5e1
Instruction Fuzzy Hash: A501AF31F500222BDB65A67EA454B2F73DAEBCBA10F148C39E10ECB344EE25DC824385

Function 06A2A3E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0d53cffb16bed2bafbb142094ddbe7d22fe4baf3d090d087bb854f22d81a34
Instruction ID: 6dd40b861ec413201994adcbfb8220c71aa455359cdb2e355d8e6ae69d5a5755
Opcode Fuzzy Hash: 2b0d53cffb16bed2bafbb142094ddbe7d22fe4baf3d090d087bb854f22d81a34
Instruction Fuzzy Hash: 38018130B604225BDB60EB3DE45472F73D6EB89710F108839E20ECB744EE21DC028781

Function 06A26549 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29431bea2890683f93d65d9fdcd735b7318598106156b8e5c6bceeb5108ed91d
Instruction ID: 66af96345e4a4d6ee5e870c4f17503e3af5207ee39b8a95d16a359f62e865d08
Opcode Fuzzy Hash: 29431bea2890683f93d65d9fdcd735b7318598106156b8e5c6bceeb5108ed91d
Instruction Fuzzy Hash: 1FE02230D4A1259FDF10EB788A003DA37B9EB03240F3149AAD009DF142D236CE068760

Non-executed Functions

Function 06A27770 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A27895
$^q, xrefs: 06A27CE5
$^q, xrefs: 06A27CFB
$^q, xrefs: 06A27CF1
$^q, xrefs: 06A27D07
$^q, xrefs: 06A278C6
$^q, xrefs: 06A278BA
$^q, xrefs: 06A27889
$^q, xrefs: 06A27C52
$^q, xrefs: 06A27C46

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 20cf5c3a86152ec49a7ba1ec71bcc8dfa271a3ff94dddc4e2aa3f02b55347798
Instruction ID: 906a9a1367a3dc03f7df5eba1c16952ee69640e80097722701909b0cee4c68b4
Opcode Fuzzy Hash: 20cf5c3a86152ec49a7ba1ec71bcc8dfa271a3ff94dddc4e2aa3f02b55347798
Instruction Fuzzy Hash: AA121C30E4022A8FDB64EF69C954AAEB7F2BF84700F208569D409AB355DB31DD85CF91

Function 06A2AA08 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A2ABBA
$^q, xrefs: 06A2AB90
$^q, xrefs: 06A2AB65
$^q, xrefs: 06A2AB0A
$^q, xrefs: 06A2AAFE
$^q, xrefs: 06A2AB84
$^q, xrefs: 06A2ABC6
$^q, xrefs: 06A2AB59

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: a7f0635cb5e0d893e9f1de8c2d4ec905a43bb892fefeeda2e15f277eac8cbaaa
Instruction ID: 4a122a9a6fa5f079a540960cf22a6bd0bd4ffe80cff7b4a1d18e865ea9c8a38a
Opcode Fuzzy Hash: a7f0635cb5e0d893e9f1de8c2d4ec905a43bb892fefeeda2e15f277eac8cbaaa
Instruction Fuzzy Hash: 06916C30E8022A9FDB68EF69D584BAEB7F2FF44701F108529D5019B395DB349C45CB90

Function 06A27170 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A27684
$^q, xrefs: 06A274B8
.5vq, xrefs: 06A271CB
$^q, xrefs: 06A2760C
$^q, xrefs: 06A274AC
$^q, xrefs: 06A27452
$^q, xrefs: 06A27678

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 895873a1a3e70c3a83bc6692becd907b839de4bce35633d2247fc62b699d7127
Instruction ID: 78fc615dba6f9a53a344bb5f240c63735341c26948e3f1bc4874f21fe539030f
Opcode Fuzzy Hash: 895873a1a3e70c3a83bc6692becd907b839de4bce35633d2247fc62b699d7127
Instruction Fuzzy Hash: F8F15C30A40219CFDB59EF69C594B6EB7B2FF84300F208569D4059B3A9DB31ED82CB91

Function 06A284A8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A28702
$^q, xrefs: 06A2870E
$^q, xrefs: 06A28773
$^q, xrefs: 06A28767

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3cfa7330f22271b88f1cf06dcabadd26a4d97deb279b3ed9778248d672fa6d8f
Instruction ID: e3551e87ef021c7cf09e6ba076f1dfa2ba75d29dc9f4729f23df4fe46680ff99
Opcode Fuzzy Hash: 3cfa7330f22271b88f1cf06dcabadd26a4d97deb279b3ed9778248d672fa6d8f
Instruction Fuzzy Hash: D3B12C30E502198FDB54EB69D5847AEB7B2FF84300F24C529E4069B395DB35DC86CB91

Function 06A288C0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A2894B
$^q, xrefs: 06A2893F
LR^q, xrefs: 06A28A02
LR^q, xrefs: 06A289B3

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: fb6974c4ddb979e5c5234f974d3dce6b5e1f88486186716ed62579bcc30e6289
Instruction ID: a2109d3f11e0a258cdfea9809be322d356b3949c2ea7b012fe058f6e015731d2
Opcode Fuzzy Hash: fb6974c4ddb979e5c5234f974d3dce6b5e1f88486186716ed62579bcc30e6289
Instruction Fuzzy Hash: 4251D530B502168FDB54EB29C980A6E77F6FF89300F108668E4059F3A9DB34EC49CB91

Function 06A2AD90 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A2AF43
$^q, xrefs: 06A2AF14
$^q, xrefs: 06A2AEC1
$^q, xrefs: 06A2AF6C

Memory Dump Source

Source File: 00000004.00000002.4143586158.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Quote GVSE24-00815.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 9902f2d6410a7131d407e26115f3a3a5c3d450b0b8f4b7b3d0acd0562579eed6
Instruction ID: e55205281de34f3d2232492e222f0cf2587a201256d0ca3a4eb410fc6b9148e7
Opcode Fuzzy Hash: 9902f2d6410a7131d407e26115f3a3a5c3d450b0b8f4b7b3d0acd0562579eed6
Instruction Fuzzy Hash: 5651BF30E502269FCF65EB28D580BAEB3B2EF89300F108629E506DB355DB34DC42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quote GVSE24-00815.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote GVSE24-00815.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tivak4j.3p4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itkhhyeh.24p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjnwwi5w.tds.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjgib2nb.30d.ps1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Quote GVSE24-00815.exe

Function 04CA6BE0 Relevance: 13.2, Strings: 10, Instructions: 750
COMMON

Function 04CA6BDA Relevance: 13.2, Strings: 10, Instructions: 674
COMMON

Function 06E57BC7 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 06E57BC8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00E3AD08 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 00E344B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 04CA4040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 00E358F7 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 06E57940 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 06E57938 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Function 06E577A1 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre