Loading ...

Play interactive tourEdit tour

Analysis Report Quot_466378-09.exe

Overview

General Information

Sample Name:Quot_466378-09.exe
Analysis ID:385943
MD5:2e25f6173ef97a1511c8cc555df962ba
SHA1:b673c538655452e575ca290199cc2795dab7a39f
SHA256:42b24542fa7aa0e423fe98ae7f4676c3b490d30ef2cbaa68a8ce41ddbe9e4534
Infos:

Most interesting Screenshot:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected MassLogger RAT
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Quot_466378-09.exe (PID: 2100 cmdline: 'C:\Users\user\Desktop\Quot_466378-09.exe' MD5: 2E25F6173EF97A1511C8CC555DF962BA)
    • schtasks.exe (PID: 6368 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LmiSveQi' /XML 'C:\Users\user\AppData\Local\Temp\tmp776F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"Version": " v3.0.7563.31381", "FtpEnable": "false", "FtpHost": "null", "FtpUser": "null", "FtpPass": "null", "FtpPort": "21", "EmailEnable": "true", "EmailAddress": "jrepublic@keithwilliamgroup.com", "EmailSendTo": "jrepublic@keithwilliamgroup.com", "EmailPass": "[5K%E!Tp3[UZC", "EmailPort": "587", "EmailSsl": "True", "EmailClient": "mail.privateemail.com", "PanelEnable": "false", "PanelHost": "null", "ExitAfterDelivery": "false", "SelfDestruct": "false", "Mutex": "Rwbbvff", "EnableMutex": "false", "EnableAntiSandboxie": "false", "EnableAntiVMware": "false", "EnableAntiDebugger": "false", "EnableWDExclusion": "false", "EnableSearchAndUpload": "false", "EnableKeylogger": "true", "EnableBrowserRecovery": "true", "EnableScreenshot": "false", "EnableForceUac": "false", "EnableBotKiller": "false", "EnableDeleteZoneIdentifier": "false", "EnableMemoryScan": "false", "EnableAntiHoneypot": "false", "EnableOnlySendWhenPassword": "true", "ExectionDelay": "1", "SendingInterval": "1", "EnableDownloader": "false", "DownloaderUrl": "Crizp", "DownloaderFilename": "Thuocfx", "DownloaderOnce": "false", "EnableBinder": "false", "BinderBytes": "AAAAAAAA", "BinderName": "Nhwsufe_Nraotd", "BinderOnce": "false", "EnableInstall": "false", "InstallFolder": "%AppData%", "InstallSecondFolder": "Fafhhdkyp", "InstallFile": "Ldstwm"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.496667665.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x81c:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x6ad:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x10ff:$op3: 00 04 03 69 91 1B 40
      • 0x1fb0:$op3: 00 04 03 69 91 1B 40
      00000006.00000002.496667665.0000000000402000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000000.00000002.272699387.0000000003B11000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
        • 0x1d6864:$op1: 04 1E FE 02 04 16 FE 01 60
        • 0x63bc6c:$op1: 04 1E FE 02 04 16 FE 01 60
        • 0x1d66f5:$op2: 00 17 03 1F 20 17 19 15 28
        • 0x63bafd:$op2: 00 17 03 1F 20 17 19 15 28
        • 0x1d7147:$op3: 00 04 03 69 91 1B 40
        • 0x1d7ff8:$op3: 00 04 03 69 91 1B 40
        • 0x63c54f:$op3: 00 04 03 69 91 1B 40
        • 0x63d400:$op3: 00 04 03 69 91 1B 40
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Quot_466378-09.exe.3ce6e48.2.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          6.2.Quot_466378-09.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0xa1c:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x8ad:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x12ff:$op3: 00 04 03 69 91 1B 40
          • 0x21b0:$op3: 00 04 03 69 91 1B 40
          6.2.Quot_466378-09.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.Quot_466378-09.exe.3d67468.3.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
            • 0x3e5804:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0x3e5695:$op2: 00 17 03 1F 20 17 19 15 28
            • 0x3e60e7:$op3: 00 04 03 69 91 1B 40
            • 0x3e6f98:$op3: 00 04 03 69 91 1B 40
            0.2.Quot_466378-09.exe.3d67468.3.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              Click to see the 2 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LmiSveQi' /XML 'C:\Users\user\AppData\Local\Temp\tmp776F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LmiSveQi' /XML 'C:\Users\user\AppData\Local\Temp\tmp776F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quot_466378-09.exe' , ParentImage: C:\Users\user\Desktop\Quot_466378-09.exe, ParentProcessId: 2100, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LmiSveQi' /XML 'C:\Users\user\AppData\Local\Temp\tmp776F.tmp', ProcessId: 6368

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpMalware Configuration Extractor: MassLogger {"Version": " v3.0.7563.31381", "FtpEnable": "false", "FtpHost": "null", "FtpUser": "null", "FtpPass": "null", "FtpPort": "21", "EmailEnable": "true", "EmailAddress": "jrepublic@keithwilliamgroup.com", "EmailSendTo": "jrepublic@keithwilliamgroup.com", "EmailPass": "[5K%E!Tp3[UZC", "EmailPort": "587", "EmailSsl": "True", "EmailClient": "mail.privateemail.com", "PanelEnable": "false", "PanelHost": "null", "ExitAfterDelivery": "false", "SelfDestruct": "false", "Mutex": "Rwbbvff", "EnableMutex": "false", "EnableAntiSandboxie": "false", "EnableAntiVMware": "false", "EnableAntiDebugger": "false", "EnableWDExclusion": "false", "EnableSearchAndUpload": "false", "EnableKeylogger": "true", "EnableBrowserRecovery": "true", "EnableScreenshot": "false", "EnableForceUac": "false", "EnableBotKiller": "false", "EnableDeleteZoneIdentifier": "false", "EnableMemoryScan": "false", "EnableAntiHoneypot": "false", "EnableOnlySendWhenPassword": "true", "ExectionDelay": "1", "SendingInterval": "1", "EnableDownloader": "false", "DownloaderUrl": "Crizp", "DownloaderFilename": "Thuocfx", "DownloaderOnce": "false", "EnableBinder": "false", "BinderBytes": "AAAAAAAA", "BinderName": "Nhwsufe_Nraotd", "BinderOnce": "false", "EnableInstall": "false", "InstallFolder": "%AppData%", "InstallSecondFolder": "Fafhhdkyp", "InstallFile": "Ldstwm"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\LmiSveQi.exeMetadefender: Detection: 21%Perma Link
              Source: C:\Users\user\AppData\Roaming\LmiSveQi.exeReversingLabs: Detection: 65%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Quot_466378-09.exeVirustotal: Detection: 60%Perma Link
              Source: Quot_466378-09.exeMetadefender: Detection: 21%Perma Link
              Source: Quot_466378-09.exeReversingLabs: Detection: 65%
              Source: Quot_466378-09.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: Quot_466378-09.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: C:\Users\user\Desktop\Quot_466378-09.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\Quot_466378-09.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\Quot_466378-09.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\Quot_466378-09.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\Quot_466378-09.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\Quot_466378-09.exeDNS query: name: api.ipify.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpString found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
              Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/
              Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.orgD
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Quot_466378-09.exe, 00000000.00000003.250068812.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Quot_466378-09.exe, 00000000.00000003.239283146.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000000.00000003.239744218.00000000080B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Quot_466378-09.exe, 00000000.00000003.239661339.00000000080AE000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000000.00000003.239283146.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: Quot_466378-09.exe, 00000000.00000003.240123865.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comOlk
              Source: Quot_466378-09.exe, 00000000.00000003.250068812.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
              Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
              Source: Quot_466378-09.exe, 00000000.00000003.239661339.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: Quot_466378-09.exe, 00000000.00000003.239499557.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd#lO
              Source: Quot_466378-09.exe, 00000000.00000003.239641105.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdlm
              Source: Quot_466378-09.exe, 00000000.00000003.240370227.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comed
              Source: Quot_466378-09.exe, 00000000.00000003.239661339.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: Quot_466378-09.exe, 00000000.00000003.250068812.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgreta
              Source: Quot_466378-09.exe, 00000000.00000003.239283146.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
              Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituo
              Source: Quot_466378-09.exe, 00000000.00000003.239187124.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefOlk
              Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuj
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Quot_466378-09.exe, 00000000.00000003.235916125.000000000807A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
              Source: Quot_466378-09.exe, 00000000.00000003.241217841.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000000.00000003.237708764.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Quot_466378-09.exe, 00000000.00000003.239045901.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#lO
              Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1l=
              Source: Quot_466378-09.exe, 00000000.00000003.238084992.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8lD
              Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Olk
              Source: Quot_466378-09.exe, 00000000.00000003.238084992.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
              Source: Quot_466378-09.exe, 00000000.00000003.238084992.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: Quot_466378-09.exe, 00000000.00000003.236641430.00000000080AC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
              Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lm
              Source: Quot_466378-09.exe, 00000000.00000003.236641430.00000000080AC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
              Source: Quot_466378-09.exe, 00000000.00000003.240903567.00000000080AE000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: Quot_466378-09.exe, 00000000.00000003.241061599.0000000008093000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.R
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Quot_466378-09.exe, 00000000.00000003.236032290.0000000008079000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
              Source: Quot_466378-09.exe, 00000000.00000003.236032290.0000000008079000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.#
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg
              Source: Quot_466378-09.exe, 00000000.00000002.268134442.0000000000EE9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000006.00000002.496667665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000000.00000002.272699387.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 6.2.Quot_466378-09.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0.2.Quot_466378-09.exe.3d67468.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0.2.Quot_466378-09.exe.3ce6e48.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012022080_2_01202208
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012004700_2_01200470
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_01200FB00_2_01200FB0
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012031500_2_01203150
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012017F10_2_012017F1
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_01209B600_2_01209B60
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012020410_2_01202041
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012040880_2_01204088
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012040980_2_01204098
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_01200F1B0_2_01200F1B
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_01204ED90_2_01204ED9
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012030C30_2_012030C3
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012052C80_2_012052C8
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012052D80_2_012052D8
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012054690_2_01205469
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_012054780_2_01205478
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_01209B500_2_01209B50
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_04B155A40_2_04B155A4
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_04B1C1600_2_04B1C160
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_04B1C1500_2_04B1C150
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_017F08206_2_017F0820
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_017F5C476_2_017F5C47
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_017F04D86_2_017F04D8
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_017F04C96_2_017F04C9
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_017F08136_2_017F0813
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_034822886_2_03482288
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_034819B86_2_034819B8
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_0348AB8B6_2_0348AB8B
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_0348AB986_2_0348AB98
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_034857786_2_03485778
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_034816706_2_03481670
              Source: Quot_466378-09.exe, 00000000.00000002.278461604.0000000005E20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.282564626.0000000009660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.267789126.0000000000884000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDH/f7.exeF vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename" vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.278985246.0000000006190000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.278432380.0000000005B30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.278432380.0000000005B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000000.00000002.268134442.0000000000EE9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000006.00000000.262780503.0000000000FD4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDH/f7.exeF vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000006.00000002.506492542.0000000006DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Quot_466378-09.exe
              Source: Quot_466378-09.exe, 00000006.00000002.496667665.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilename" vs Quot_466378-09.exe
              Source: Quot_466378-09.exeBinary or memory string: OriginalFilenameDH/f7.exeF vs Quot_466378-09.exe
              Source: Quot_466378-09.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000006.00000002.496667665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.272699387.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.Quot_466378-09.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.Quot_466378-09.exe.3d67468.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.Quot_466378-09.exe.3ce6e48.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Quot_466378-09.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: LmiSveQi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@2/1
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile created: C:\Users\user\AppData\Roaming\LmiSveQi.exeJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeMutant created: \Sessions\1\BaseNamedObjects\lyBmVHenljRsBputjU
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_01
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile created: C:\Users\user\AppData\Local\Temp\tmp776F.tmpJump to behavior
              Source: Quot_466378-09.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Quot_466378-09.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile read: C:\Windows\win.iniJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Quot_466378-09.exeVirustotal: Detection: 60%
              Source: Quot_466378-09.exeMetadefender: Detection: 21%
              Source: Quot_466378-09.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile read: C:\Users\user\Desktop\Quot_466378-09.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Quot_466378-09.exe 'C:\Users\user\Desktop\Quot_466378-09.exe'
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LmiSveQi' /XML 'C:\Users\user\AppData\Local\Temp\tmp776F.tmp'
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess created: C:\Users\user\Desktop\Quot_466378-09.exe {path}
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LmiSveQi' /XML 'C:\Users\user\AppData\Local\Temp\tmp776F.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess created: C:\Users\user\Desktop\Quot_466378-09.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Quot_466378-09.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Quot_466378-09.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Quot_466378-09.exeStatic file information: File size 1579008 > 1048576
              Source: Quot_466378-09.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x180c00
              Source: Quot_466378-09.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Yara detected Costura Assembly LoaderShow sources
              Source: Yara matchFile source: 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Quot_466378-09.exe PID: 2100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Quot_466378-09.exe PID: 6432, type: MEMORY
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_00704351 push eax; ret 0_2_0070439C
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_007024D6 push ecx; iretd 0_2_007024D7
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_007027D7 push 86DF6B68h; retf 0_2_007027E7
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_00702B83 push ebx; iretd 0_2_00702C24
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_0070558A pushfd ; retf 0_2_00705592
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_04B12404 push E802005Eh; ret 0_2_04B12409
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_04B13452 pushfd ; ret 0_2_04B13459
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_04B140A0 push esp; retf 0_2_04B140A1
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 0_2_04B111B9 push eax; mov dword ptr [esp], edx0_2_04B111CC
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_00E527D7 push 86DF6B68h; retf 6_2_00E527E7
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_00E524D6 push ecx; iretd 6_2_00E524D7
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_00E52B83 push ebx; iretd 6_2_00E52C24
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_00E5558A pushfd ; retf 6_2_00E55592
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_00E54351 push eax; ret 6_2_00E5439C
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_0348DA8C push FFFFFF8Bh; retf 6_2_0348DA8F
              Source: C:\Users\user\Desktop\Quot_466378-09.exeCode function: 6_2_0348FF2E push es; ret 6_2_0348FF30
              Source: initial sampleStatic PE information: section name: .text entropy: 7.58063381917
              Source: initial sampleStatic PE information: section name: .text entropy: 7.58063381917
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile created: C:\Users\user\AppData\Roaming\LmiSveQi.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LmiSveQi' /XML 'C:\Users\user\AppData\Local\Temp\tmp776F.tmp'
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM3Show sources
              Source: Yara matchFile source: Process Memory Space: Quot_466378-09.exe PID: 2100, type: MEMORY
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Quot_466378-09.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\Quot_466378-09.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3600000Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3599844Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3599656Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3599500Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3599360Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3599156Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598985Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598860Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598750Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598641Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598485Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598360Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598203Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3598078Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3597953Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3597797Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3597656Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3597547Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3597360Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3597188Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3597047Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3596906Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3596750Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3596610Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3596469Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3596360Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3596203Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3596094Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3595985Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3595860Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3595735Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3595610Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3595453Jump to behavior
              Source: C:\Users\user\Desktop\Quot_466378-09.exeThread delayed: delay time: 3595344Jump to behavior
              Source: