Edit tour

Windows Analysis Report
Quotation_#432768#_pdf.scr.exe

Overview

General Information

Sample name:	Quotation_#432768#_pdf.scr.exe
Analysis ID:	1441939
MD5:	52c3bf6b32a777a43cf7b59d0c0b6b46
SHA1:	d691b2d4b44fde837524624af85bccb4b01cd5ec
SHA256:	1c97deae0a90b78b7801e71c84b3308738b9def07711e0088e985e1dad640582
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Quotation_#432768#_pdf.scr.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe" MD5: 52C3BF6B32A777A43CF7B59D0C0B6B46)

Quotation_#432768#_pdf.scr.exe (PID: 5880 cmdline: "C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe" MD5: 52C3BF6B32A777A43CF7B59D0C0B6B46)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1984543642.0000000003F29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1986457181.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4459604058.0000000002881000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4459604058.0000000002881000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 6388	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 6388	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 6388	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 5880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 5880	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312b9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3132b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31447:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31523:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31649:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e633:$s2: GetPrivateProfileString 0x2dd1a:$s3: get_OSFullName 0x2f3a7:$s5: remove_Key 0x2f54f:$s5: remove_Key 0x3045c:$s6: FtpWebRequest 0x3129b:$s7: logins 0x3180d:$s7: logins 0x344fc:$s7: logins 0x345d0:$s7: logins 0x35ece:$s7: logins 0x3516a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312b9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3132b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31447:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31523:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31649:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e633:$s2: GetPrivateProfileString 0x2dd1a:$s3: get_OSFullName 0x2f3a7:$s5: remove_Key 0x2f54f:$s5: remove_Key 0x3045c:$s6: FtpWebRequest 0x3129b:$s7: logins 0x3180d:$s7: logins 0x344fc:$s7: logins 0x345d0:$s7: logins 0x35ece:$s7: logins 0x3516a:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330b9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3312b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33247:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33323:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33449:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30433:$s2: GetPrivateProfileString 0x2fb1a:$s3: get_OSFullName 0x311a7:$s5: remove_Key 0x3134f:$s5: remove_Key 0x3225c:$s6: FtpWebRequest 0x3309b:$s7: logins 0x3360d:$s7: logins 0x362fc:$s7: logins 0x363d0:$s7: logins 0x37cce:$s7: logins 0x36f6a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330b9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xf1039:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3312b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xf10ab:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xf1135:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33247:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xf11c7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xf1231:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33323:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xf12a3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xf1339:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33449:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0xf13c9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30433:$s2: GetPrivateProfileString 0xee3b3:$s2: GetPrivateProfileString 0x2fb1a:$s3: get_OSFullName 0xeda9a:$s3: get_OSFullName 0x311a7:$s5: remove_Key 0x3134f:$s5: remove_Key 0xef127:$s5: remove_Key 0xef2cf:$s5: remove_Key 0x3225c:$s6: FtpWebRequest 0xf01dc:$s6: FtpWebRequest 0x3309b:$s7: logins 0x3360d:$s7: logins 0x362fc:$s7: logins 0x363d0:$s7: logins 0x37cce:$s7: logins 0xf101b:$s7: logins 0xf158d:$s7: logins 0xf427c:$s7: logins 0xf4350:$s7: logins 0xf5c4e:$s7: logins 0x36f6a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330b9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d6d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x12b659:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3312b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d74b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x12b6cb:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d7d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12b755:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33247:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d867:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12b7e7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d8d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12b851:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33323:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d943:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x12b8c3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d9d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x12b959:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30433:$s2: GetPrivateProfileString 0x6aa53:$s2: GetPrivateProfileString 0x1289d3:$s2: GetPrivateProfileString 0x2fb1a:$s3: get_OSFullName 0x6a13a:$s3: get_OSFullName 0x1280ba:$s3: get_OSFullName 0x311a7:$s5: remove_Key 0x3134f:$s5: remove_Key 0x6b7c7:$s5: remove_Key 0x6b96f:$s5: remove_Key 0x129747:$s5: remove_Key 0x1298ef:$s5: remove_Key 0x3225c:$s6: FtpWebRequest 0x6c87c:$s6: FtpWebRequest 0x12a7fc:$s6: FtpWebRequest 0x3309b:$s7: logins 0x3360d:$s7: logins 0x362fc:$s7: logins 0x363d0:$s7: logins 0x37cce:$s7: logins 0x6d6bb:$s7: logins
Click to see the 21 entries

FTP traffic detected: 108.179.234.136:21 -> 192.168.2.5:49708 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 06:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 06:46. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 06:46. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.wapination.net

Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.wapination.net
Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation_#432768#_pdf.scr.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wapination.net
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, cPKWk.cs	.Net Code: arfI
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, cPKWk.cs	.Net Code: arfI

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Quotation_#432768#_pdf.scr.exe
Source: initial sample	Static PE information: Filename: Quotation_#432768#_pdf.scr.exe

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_010CD55C	0_2_010CD55C
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_05486C50	0_2_05486C50
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_054862B0	0_2_054862B0
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_05486C3F	0_2_05486C3F
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_05488150	0_2_05488150
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_05488160	0_2_05488160
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_054869B8	0_2_054869B8
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_054869B6	0_2_054869B6
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_054862A0	0_2_054862A0
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_072B1350	0_2_072B1350
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_0269E228	3_2_0269E228
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_0269B0A8	3_2_0269B0A8
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02694A58	3_2_02694A58
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02693E40	3_2_02693E40
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02694188	3_2_02694188
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_06598E90	3_2_06598E90
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_0659B5D8	3_2_0659B5D8
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065A5678	3_2_065A5678
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065AC248	3_2_065AC248
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065AB2FD	3_2_065AB2FD
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065A3130	3_2_065A3130
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065A7E40	3_2_065A7E40
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065A7760	3_2_065A7760
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065AE458	3_2_065AE458
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065A0521	3_2_065A0521
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065A0033	3_2_065A0033
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_065A5DAF	3_2_065A5DAF

Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9d777ff5-1b53-46dc-bb82-ea82ab1c7757.exe4 vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1982375284.000000000115E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984543642.0000000003F29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984061797.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9d777ff5-1b53-46dc-bb82-ea82ab1c7757.exe4 vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000000.1973259741.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZVRN.exeX vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1987307632.0000000007A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1986457181.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9d777ff5-1b53-46dc-bb82-ea82ab1c7757.exe4 vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4458560792.0000000000958000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quotation_#432768#_pdf.scr.exe
Source: Quotation_#432768#_pdf.scr.exe	Binary or memory string: OriginalFilenameZVRN.exeX vs Quotation_#432768#_pdf.scr.exe

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.raw.unpack, iM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.raw.unpack, iM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.raw.unpack, iM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.raw.unpack, iM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, LE2n4ybSao7Hpk1pWJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, LE2n4ybSao7Hpk1pWJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation_#432768#_pdf.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Mutant created: NULL

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation_#432768#_pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation_#432768#_pdf.scr.exe	ReversingLabs: Detection: 31%
Source: Quotation_#432768#_pdf.scr.exe	Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe "C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe"
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process created: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe "C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe"
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process created: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe "C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ZVRN.pdb source: Quotation_#432768#_pdf.scr.exe
Source:	Binary string: ZVRN.pdbSHA256 source: Quotation_#432768#_pdf.scr.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.raw.unpack, iM.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.raw.unpack, iM.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	.Net Code: wAaHLcJIY9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	.Net Code: wAaHLcJIY9 System.Reflection.Assembly.Load(byte[])

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: 0xF4A5DCBC [Sun Jan 24 21:50:52 2100 UTC]

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 0_2_0548BF33 push edx; ret	0_2_0548BF36
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_026906C8 push eax; ret	3_2_02690702
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02690698 push eax; ret	3_2_02690712
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02690698 push eax; ret	3_2_02690722
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02690728 push eax; ret	3_2_02690732
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02690708 push eax; ret	3_2_02690712
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02690718 push eax; ret	3_2_02690722
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_02690C3D push edi; ret	3_2_02690CC2
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_0659F749 push es; retf	3_2_0659F74C
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Code function: 3_2_0659F734 push es; retf	3_2_0659F748

Source: Quotation_#432768#_pdf.scr.exe

Static PE information: section name: .text entropy: 7.980317797577168

Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, O0jGVwaUv4MTQpjdQX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UNaDivB2c4', 'JmnDwDyS4p', 'COQDzETRm5', 'Nux6P2rCke', 'Lac6WJel0m', 'q4t6DHdrgq', 'yZx668FUap', 'GumHtaymywhvoFx1MkG'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, EABHNcUx7cui8QBd63.cs	High entropy of concatenated method names: 'tSY5JCtHd5', 'Wyv5Are9Dr', 'ToString', 'c6Z5ab8tVg', 'mjx5R98rMo', 'wSH5c001a2', 'hoG522oPWm', 'sAi57lQwfd', 'dUL5kRlbsQ', 'zqw5Tl5mMC'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, rvC8ruGmaXPNfQLwe7.cs	High entropy of concatenated method names: 'Dispose', 'vxcWi49uUT', 'dorDhBIPUS', 'C3188DRwXE', 'QOTWwBt1Dl', 'vpXWze2Iim', 'ProcessDialogKey', 'rtQDP1a9BE', 'Qj8DWfQF67', 'iwsDDaqVED'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, E7NfDhonfb3w9G3GDE.cs	High entropy of concatenated method names: 'K3RGaujCoW', 'NicGRrJqFj', 'cdHGcbleyk', 'xl2G28pjxd', 'VyaG7kBwUm', 'HR6GkGjlvY', 'l5hGTthCJk', 'oabG0JqwAW', 'bHbGJ0VN7K', 'l4ZGALyLbF'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, uMb4ApCpfPcSnyNGWtS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BjUbuBmyqu', 'SowbKnmOvJ', 'lJub1r1eId', 'KIlbEsG182', 'PoKbYdQdtI', 'WVNb4Y54Vs', 'nF7boO95rY'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, DgimkMnBa6iScPSvt3.cs	High entropy of concatenated method names: 'VSWCfucEU1', 'nMbCI14BEs', 'vwfCuQWpcm', 'wpACKqxxOj', 'jG7Chhvbbh', 'pPyCFYBAV3', 'QvcCvx9fRN', 'sONCVE678Z', 'V02CMJ8oAb', 'J34CdhQgdK'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, LE2n4ybSao7Hpk1pWJ.cs	High entropy of concatenated method names: 'HTZRuD7eHn', 'yyLRKbkCPf', 'HYZR1tG8LC', 'r00RErq1dq', 'bdSRYOoEOp', 'rDRR4di6IM', 'cceRosf6Um', 'DbTRrhjiag', 'txrRiLa8xY', 'QZVRwhxG8O'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, HmdeFwi8tqsrCpvE2J.cs	High entropy of concatenated method names: 'sil5rGnAPX', 'iD25wbslBV', 'akSGP5nHBd', 'UUwGW9gSj8', 'rm65X9K8Fg', 'E7U5IHRIE3', 'XJx5QYu2bU', 'zuL5uyveX3', 'pqQ5KURpY5', 'IPs51yMwPL'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, dldGZm5DSEMwurieaT.cs	High entropy of concatenated method names: 'ImO2ZysJdn', 'H172NEN9W2', 'kCccFsjobM', 'ylfcvLXpQM', 'I8gcVbCJRi', 'h4RcMTbjh9', 'jIYcdhvPV2', 'u29cy3KAkI', 'ObMceR7KRc', 'GWccfwaRBY'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, tvRRUXDFqgUSGWSpO6.cs	High entropy of concatenated method names: 'VsxcmSRwMh', 'L47cnfFM12', 'mDPcpZh2pk', 'quucxUJxQU', 'M27cCjP61N', 'zaPcSfADYr', 'aBMc5UwjWF', 'vPccGWVf87', 'WINcBpRQ3a', 'Qt4cb6dCNI'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, XTZtPXzKNYCGVd6uBL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FMrBqO55PS', 'oETBCkNWHS', 'tZRBSCJRIy', 'eTjB59yWWJ', 'w3RBGcDtBm', 'XkIBBiF6Oi', 'DPOBbOoYhl'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, DIBgUJCEUsMeqLocKNq.cs	High entropy of concatenated method names: 'DaQBsMrDIZ', 'VjUBgusk7S', 'EIEBLYxCYR', 'wcQBm9eHqO', 'uc7BZpSCaH', 'BfmBnpeghM', 'jJrBN0ks7k', 'unyBpJr0i7', 'AxvBxmMGXk', 'G9LB3wvT80'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, Eoqqh5Ml9sAhqOSsO7.cs	High entropy of concatenated method names: 'JLEGj8pL3f', 'C8QGhbLrhF', 'ihVGFpFxTk', 'HbqGv5b791', 'uvqGuqb3LE', 'eEuGVZyqE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, Axfdph8yP8NSKfbt33.cs	High entropy of concatenated method names: 'FqyqphGrAL', 'UMRqx422Qr', 'sK2qjR7hAQ', 'csvqhKlHjE', 'mLiqvJiYhu', 'FLfqV4pYwA', 'N9Kqdqpotq', 'mZeqygJY7A', 'ghIqf4Y05p', 'dTPqX1Qyb8'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, mjhnXHcNg8OBvjD731.cs	High entropy of concatenated method names: 'ceo7taiGSy', 'J0n7RI5n1k', 'EjI72ShQeg', 'UDm7k7AHZu', 'QF37Tw4l2w', 'zWh2Y03a4M', 'sjf24vQcAi', 'mMW2oH49Ij', 'Oan2rc1ead', 'tRp2iSk5uL'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, D3TLCyXfFxX4gvM42K.cs	High entropy of concatenated method names: 'WBhLUSNMu', 'tOCmblwjh', 'yD4n7TKgL', 'LrQN14wFA', 'oIWxcZImY', 'u2W3mIASC', 'lyBPlX8hAAKfss2o9u', 'XxZdcD4sDhXe4CQ4Kl', 'KExGfPYit', 'CqubLcjQl'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	High entropy of concatenated method names: 'SWV6tYwxR1', 'X6M6ajSm5j', 'Qqw6RHWESw', 'YtW6ccy08V', 'a8862h6v3r', 'fcx67EDGol', 'Ovw6k97Esg', 'ED36THRJYx', 'EKP60UZQT7', 'Olr6JT5PZC'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, ePkS30kFgfcvdqkOuC.cs	High entropy of concatenated method names: 'xPKksy7hEC', 'HjRkgSKSBR', 'o6ekLqOmgV', 'R6XkmqZDOf', 'ncXkZ5M9qx', 'lSwknqhjyo', 'uXVkNYPUpZ', 'T0PkpnRN5e', 'vk8kx2aINS', 'ygck3q2iuH'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, V0jgndFki4pFRgA91I.cs	High entropy of concatenated method names: 'DFhBW85TTF', 'fcfB6yGjwh', 'SYIBH80U6R', 'NZiBarpKEd', 'uB7BRk4gJr', 'CKXB22qUnS', 'yUbB7GfLyr', 'BMGGoxmoJf', 'jEUGrY9LTU', 'DFXGi89vMe'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, VhOVCGr6RR3qufgNAQ.cs	High entropy of concatenated method names: 'fNpWkYoBwq', 'AuoWTonbfJ', 'w20WJMHiDw', 'ScgWASB4wc', 'WlnWCtSRII', 'RBtWSHGF49', 'wwF82WojRUDirnK0I0', 'otXWXZ6LZmhggCl6gA', 'k3YWWVyWfT', 'n97W6dq5th'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, pLRVFvfot7kIP6Idfv.cs	High entropy of concatenated method names: 'ToString', 'ywjSX4TEQD', 'YqcShwn3fH', 'toPSFSdtCK', 'ja9SvIkOum', 'QsOSV33Hj5', 'IkiSMF0apa', 'B8rSdOGtxO', 'SFKSycbBV8', 'WQQSeqLOVy'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.7a70000.8.raw.unpack, kx9fJU6dXwdDAAjGIw.cs	High entropy of concatenated method names: 'bWDkarMFyZ', 'wa2kc3FAZX', 'juYk7boAnw', 'DKC7wHtFMt', 'bNR7z9ATZ9', 'eX0kP0n8mO', 'zrbkWNtg3v', 'Ho5kDCtJgQ', 'qiVk68FSDl', 'HcIkHsaWxx'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, O0jGVwaUv4MTQpjdQX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UNaDivB2c4', 'JmnDwDyS4p', 'COQDzETRm5', 'Nux6P2rCke', 'Lac6WJel0m', 'q4t6DHdrgq', 'yZx668FUap', 'GumHtaymywhvoFx1MkG'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, EABHNcUx7cui8QBd63.cs	High entropy of concatenated method names: 'tSY5JCtHd5', 'Wyv5Are9Dr', 'ToString', 'c6Z5ab8tVg', 'mjx5R98rMo', 'wSH5c001a2', 'hoG522oPWm', 'sAi57lQwfd', 'dUL5kRlbsQ', 'zqw5Tl5mMC'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, rvC8ruGmaXPNfQLwe7.cs	High entropy of concatenated method names: 'Dispose', 'vxcWi49uUT', 'dorDhBIPUS', 'C3188DRwXE', 'QOTWwBt1Dl', 'vpXWze2Iim', 'ProcessDialogKey', 'rtQDP1a9BE', 'Qj8DWfQF67', 'iwsDDaqVED'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, E7NfDhonfb3w9G3GDE.cs	High entropy of concatenated method names: 'K3RGaujCoW', 'NicGRrJqFj', 'cdHGcbleyk', 'xl2G28pjxd', 'VyaG7kBwUm', 'HR6GkGjlvY', 'l5hGTthCJk', 'oabG0JqwAW', 'bHbGJ0VN7K', 'l4ZGALyLbF'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, uMb4ApCpfPcSnyNGWtS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BjUbuBmyqu', 'SowbKnmOvJ', 'lJub1r1eId', 'KIlbEsG182', 'PoKbYdQdtI', 'WVNb4Y54Vs', 'nF7boO95rY'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, DgimkMnBa6iScPSvt3.cs	High entropy of concatenated method names: 'VSWCfucEU1', 'nMbCI14BEs', 'vwfCuQWpcm', 'wpACKqxxOj', 'jG7Chhvbbh', 'pPyCFYBAV3', 'QvcCvx9fRN', 'sONCVE678Z', 'V02CMJ8oAb', 'J34CdhQgdK'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, LE2n4ybSao7Hpk1pWJ.cs	High entropy of concatenated method names: 'HTZRuD7eHn', 'yyLRKbkCPf', 'HYZR1tG8LC', 'r00RErq1dq', 'bdSRYOoEOp', 'rDRR4di6IM', 'cceRosf6Um', 'DbTRrhjiag', 'txrRiLa8xY', 'QZVRwhxG8O'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, HmdeFwi8tqsrCpvE2J.cs	High entropy of concatenated method names: 'sil5rGnAPX', 'iD25wbslBV', 'akSGP5nHBd', 'UUwGW9gSj8', 'rm65X9K8Fg', 'E7U5IHRIE3', 'XJx5QYu2bU', 'zuL5uyveX3', 'pqQ5KURpY5', 'IPs51yMwPL'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, dldGZm5DSEMwurieaT.cs	High entropy of concatenated method names: 'ImO2ZysJdn', 'H172NEN9W2', 'kCccFsjobM', 'ylfcvLXpQM', 'I8gcVbCJRi', 'h4RcMTbjh9', 'jIYcdhvPV2', 'u29cy3KAkI', 'ObMceR7KRc', 'GWccfwaRBY'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, tvRRUXDFqgUSGWSpO6.cs	High entropy of concatenated method names: 'VsxcmSRwMh', 'L47cnfFM12', 'mDPcpZh2pk', 'quucxUJxQU', 'M27cCjP61N', 'zaPcSfADYr', 'aBMc5UwjWF', 'vPccGWVf87', 'WINcBpRQ3a', 'Qt4cb6dCNI'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, XTZtPXzKNYCGVd6uBL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FMrBqO55PS', 'oETBCkNWHS', 'tZRBSCJRIy', 'eTjB59yWWJ', 'w3RBGcDtBm', 'XkIBBiF6Oi', 'DPOBbOoYhl'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, DIBgUJCEUsMeqLocKNq.cs	High entropy of concatenated method names: 'DaQBsMrDIZ', 'VjUBgusk7S', 'EIEBLYxCYR', 'wcQBm9eHqO', 'uc7BZpSCaH', 'BfmBnpeghM', 'jJrBN0ks7k', 'unyBpJr0i7', 'AxvBxmMGXk', 'G9LB3wvT80'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, Eoqqh5Ml9sAhqOSsO7.cs	High entropy of concatenated method names: 'JLEGj8pL3f', 'C8QGhbLrhF', 'ihVGFpFxTk', 'HbqGv5b791', 'uvqGuqb3LE', 'eEuGVZyqE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, Axfdph8yP8NSKfbt33.cs	High entropy of concatenated method names: 'FqyqphGrAL', 'UMRqx422Qr', 'sK2qjR7hAQ', 'csvqhKlHjE', 'mLiqvJiYhu', 'FLfqV4pYwA', 'N9Kqdqpotq', 'mZeqygJY7A', 'ghIqf4Y05p', 'dTPqX1Qyb8'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, mjhnXHcNg8OBvjD731.cs	High entropy of concatenated method names: 'ceo7taiGSy', 'J0n7RI5n1k', 'EjI72ShQeg', 'UDm7k7AHZu', 'QF37Tw4l2w', 'zWh2Y03a4M', 'sjf24vQcAi', 'mMW2oH49Ij', 'Oan2rc1ead', 'tRp2iSk5uL'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, D3TLCyXfFxX4gvM42K.cs	High entropy of concatenated method names: 'WBhLUSNMu', 'tOCmblwjh', 'yD4n7TKgL', 'LrQN14wFA', 'oIWxcZImY', 'u2W3mIASC', 'lyBPlX8hAAKfss2o9u', 'XxZdcD4sDhXe4CQ4Kl', 'KExGfPYit', 'CqubLcjQl'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, gFdkwVwVPnHaQh4QlV.cs	High entropy of concatenated method names: 'SWV6tYwxR1', 'X6M6ajSm5j', 'Qqw6RHWESw', 'YtW6ccy08V', 'a8862h6v3r', 'fcx67EDGol', 'Ovw6k97Esg', 'ED36THRJYx', 'EKP60UZQT7', 'Olr6JT5PZC'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, ePkS30kFgfcvdqkOuC.cs	High entropy of concatenated method names: 'xPKksy7hEC', 'HjRkgSKSBR', 'o6ekLqOmgV', 'R6XkmqZDOf', 'ncXkZ5M9qx', 'lSwknqhjyo', 'uXVkNYPUpZ', 'T0PkpnRN5e', 'vk8kx2aINS', 'ygck3q2iuH'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, V0jgndFki4pFRgA91I.cs	High entropy of concatenated method names: 'DFhBW85TTF', 'fcfB6yGjwh', 'SYIBH80U6R', 'NZiBarpKEd', 'uB7BRk4gJr', 'CKXB22qUnS', 'yUbB7GfLyr', 'BMGGoxmoJf', 'jEUGrY9LTU', 'DFXGi89vMe'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, VhOVCGr6RR3qufgNAQ.cs	High entropy of concatenated method names: 'fNpWkYoBwq', 'AuoWTonbfJ', 'w20WJMHiDw', 'ScgWASB4wc', 'WlnWCtSRII', 'RBtWSHGF49', 'wwF82WojRUDirnK0I0', 'otXWXZ6LZmhggCl6gA', 'k3YWWVyWfT', 'n97W6dq5th'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, pLRVFvfot7kIP6Idfv.cs	High entropy of concatenated method names: 'ToString', 'ywjSX4TEQD', 'YqcShwn3fH', 'toPSFSdtCK', 'ja9SvIkOum', 'QsOSV33Hj5', 'IkiSMF0apa', 'B8rSdOGtxO', 'SFKSycbBV8', 'WQQSeqLOVy'
Source: 0.2.Quotation_#432768#_pdf.scr.exe.4327db0.3.raw.unpack, kx9fJU6dXwdDAAjGIw.cs	High entropy of concatenated method names: 'bWDkarMFyZ', 'wa2kc3FAZX', 'juYk7boAnw', 'DKC7wHtFMt', 'bNR7z9ATZ9', 'eX0kP0n8mO', 'zrbkWNtg3v', 'Ho5kDCtJgQ', 'qiVk68FSDl', 'HcIkHsaWxx'

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 6388, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 7BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 8BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 8DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 9DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Memory allocated: 4830000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599651	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598756	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598632	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598527	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598395	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596279	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594375	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Window / User API: threadDelayed 8122			Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Window / User API: threadDelayed 1725			Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 5068	Thread sleep count: 8122 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 5068	Thread sleep count: 1725 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598756s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598527s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598395s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe TID: 3224	Thread sleep time: -594375s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599651	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598756	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598632	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598527	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598395	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596279	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Thread delayed: delay time: 594375	Jump to behavior

Source: Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4458691903.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Process created: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe "C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4459604058.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 5880, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1984543642.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1986457181.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4459604058.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 5880, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Quotation_#432768#_pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41edc10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.41b35f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4459604058.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation_#432768#_pdf.scr.exe PID: 5880, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.5a40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_#432768#_pdf.scr.exe.3f40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1984543642.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1986457181.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation_#432768#_pdf.scr.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Quotation_#432768#_pdf.scr.exe	34%	Virustotal		Browse
Quotation_#432768#_pdf.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
api.ipify.org	1%	Virustotal	Browse
wapination.net	0%	Virustotal	Browse
ftp.wapination.net	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://wapination.net	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
http://ftp.wapination.net	0%	Avira URL Cloud	safe
http://wapination.net	0%	Virustotal		Browse
http://tempuri.org/DataSet1.xsd	2%	Virustotal		Browse
http://ftp.wapination.net	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	1%, Virustotal, Browse	unknown
wapination.net	108.179.234.136	true	false	0%, Virustotal, Browse	unknown
ftp.wapination.net	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.0000000002831000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ftp.wapination.net	Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	Quotation_#432768#_pdf.scr.exe, 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org/t	Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.0000000002831000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.0000000002831000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wapination.net	Quotation_#432768#_pdf.scr.exe, 00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/DataSet1.xsd	Quotation_#432768#_pdf.scr.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.179.234.136	wapination.net	United States		46606	UNIFIEDLAYER-AS-1US	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1441939
Start date and time:	2024-05-15 13:46:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation_#432768#_pdf.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 81 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:46:49	API Interceptor	10939191x Sleep call for process: Quotation_#432768#_pdf.scr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.179.234.136	Payment Advice Copy-EUR 5500,00 20240419165413-docx.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
108.179.234.136	Payment_Advice-pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
172.67.74.152	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Purchase order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	MT_078410_00_032.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Copy#1905208.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	rMT_IEVOLI_SPRINT_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	BANK SWIFT.pdf_________________________________________________________________________.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Xlrfx.bat	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Order List 300572024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	new order 20240508.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Shipping Advice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	new order 20240508.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	AWB#150322.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.253.239
	Document.exe	Get hash	malicious	MyDoom	Browse	192.254.190.168
	Revised Order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.241.123.127
	Order Items.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.240.81.18
	ITEMS.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.240.81.18
	https://fms-logistics.antena1foz.com.br/fdufigu/zoaodfhaza/xoforniche/Dkbvtyesxq/gvxQafolA/	Get hash	malicious	Unknown	Browse	162.214.126.9
	facturas y albaranes del mes de marzo y abril-pdf.exe	Get hash	malicious	FormBook	Browse	162.240.81.18
	vm6XYZzWOd.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	192.254.224.20
	rCheq0004783.bat	Get hash	malicious	FormBook, GuLoader	Browse	108.167.183.29
	rRFQ_251477800TM.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	108.167.140.123
CLOUDFLARENETUS	http://academictutoringcenters.com	Get hash	malicious	Unknown	Browse	104.16.117.116
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	scan_document.html	Get hash	malicious	Unknown	Browse	104.18.24.163
	Purchase order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	MT_078410_00_032.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Copy#1905208.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	rMT_IEVOLI_SPRINT_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	BANK SWIFT.pdf_________________________________________________________________________.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Xlrfx.bat	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Order List 300572024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Purchase order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	MT_078410_00_032.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Copy#1905208.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	rMT_IEVOLI_SPRINT_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	BANK SWIFT.pdf_________________________________________________________________________.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Xlrfx.bat	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Order List 300572024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	new order 20240508.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Shipping Advice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	new order 20240508.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.974387281518562
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quotation_#432768#_pdf.scr.exe
File size:	716'288 bytes
MD5:	52c3bf6b32a777a43cf7b59d0c0b6b46
SHA1:	d691b2d4b44fde837524624af85bccb4b01cd5ec
SHA256:	1c97deae0a90b78b7801e71c84b3308738b9def07711e0088e985e1dad640582
SHA512:	50120e417ba5f64c33b289765261ff83ccaf06eaaa77a85451218257ac3ba56dddacd27833449ad8bc3fbc08014795d55ee2035fad01998a59bddde52b6debad
SSDEEP:	12288:Qci2iN3skSKSIw6RC9eYIgHlrFtZ+0FrjM8vAqWFDG+XdMrwzJaLB7qDY:Q319JSNIoPISRts0NiGqdMrw1axq0
TLSH:	1AE4230D7790AB1FE73F93B55A98C21583327507661CD35A2EC920C78EEA391C7B096B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b00f6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF4A5DCBC [Sun Jan 24 21:50:52 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb00a2	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x658	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae51c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae0fc	0xae200	dc0b861003a272bf517f743b30862d84	False	0.9759960516870064	data	7.980317797577168	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x658	0x800	c3fb658149af0eb69f09c82ee451c48c	False	0.34423828125	data	3.5324990894528225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	0901ceb4416091449ea24f54c4d5ff51	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb2090	0x3c8	data			0.4121900826446281
RT_MANIFEST	0xb2468	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2024 13:46:51.233519077 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:51.233553886 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:51.233616114 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:51.242239952 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:51.242264986 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:51.473834038 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:51.473927975 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:51.496670961 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:51.496690035 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:51.497034073 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:51.548254967 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:52.053915977 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:52.100128889 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:52.233369112 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:52.233434916 CEST	443	49706	172.67.74.152	192.168.2.5
May 15, 2024 13:46:52.233498096 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:52.240032911 CEST	49706	443	192.168.2.5	172.67.74.152
May 15, 2024 13:46:52.970582008 CEST	49708	21	192.168.2.5	108.179.234.136
May 15, 2024 13:46:53.092200041 CEST	21	49708	108.179.234.136	192.168.2.5
May 15, 2024 13:46:53.092305899 CEST	49708	21	192.168.2.5	108.179.234.136
May 15, 2024 13:46:53.096545935 CEST	49708	21	192.168.2.5	108.179.234.136
May 15, 2024 13:46:53.214698076 CEST	21	49708	108.179.234.136	192.168.2.5
May 15, 2024 13:46:53.214787006 CEST	49708	21	192.168.2.5	108.179.234.136
May 15, 2024 13:46:53.218038082 CEST	21	49708	108.179.234.136	192.168.2.5
May 15, 2024 13:46:53.218103886 CEST	49708	21	192.168.2.5	108.179.234.136
May 15, 2024 13:46:53.218468904 CEST	21	49708	108.179.234.136	192.168.2.5
May 15, 2024 13:46:53.218513966 CEST	49708	21	192.168.2.5	108.179.234.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2024 13:46:51.116761923 CEST	62665	53	192.168.2.5	1.1.1.1
May 15, 2024 13:46:51.226393938 CEST	53	62665	1.1.1.1	192.168.2.5
May 15, 2024 13:46:52.780751944 CEST	55058	53	192.168.2.5	1.1.1.1
May 15, 2024 13:46:52.968645096 CEST	53	55058	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 15, 2024 13:46:51.116761923 CEST	192.168.2.5	1.1.1.1	0xeedb	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
May 15, 2024 13:46:52.780751944 CEST	192.168.2.5	1.1.1.1	0x38e6	Standard query (0)	ftp.wapination.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 15, 2024 13:46:51.226393938 CEST	1.1.1.1	192.168.2.5	0xeedb	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
May 15, 2024 13:46:51.226393938 CEST	1.1.1.1	192.168.2.5	0xeedb	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
May 15, 2024 13:46:51.226393938 CEST	1.1.1.1	192.168.2.5	0xeedb	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
May 15, 2024 13:46:52.968645096 CEST	1.1.1.1	192.168.2.5	0x38e6	No error (0)	ftp.wapination.net	wapination.net		CNAME (Canonical name)	IN (0x0001)	false
May 15, 2024 13:46:52.968645096 CEST	1.1.1.1	192.168.2.5	0x38e6	No error (0)	wapination.net		108.179.234.136	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	172.67.74.152	443	5880	C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-15 11:46:52 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-05-15 11:46:52 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 15 May 2024 11:46:52 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8842e3d3acb64bff-MIA
2024-05-15 11:46:52 UTC	12	IN	Data Raw: 38 34 2e 31 37 2e 34 30 2e 31 30 32 Data Ascii: 84.17.40.102

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 15, 2024 13:46:53.214698076 CEST	21	49708	108.179.234.136	192.168.2.5	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 06:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 06:46. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 06:46. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
May 15, 2024 13:46:53.218038082 CEST	21	49708	108.179.234.136	192.168.2.5	220 Logout.

Target ID:	0
Start time:	13:46:49
Start date:	15/05/2024
Path:	C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe"
Imagebase:	0x9d0000
File size:	716'288 bytes
MD5 hash:	52C3BF6B32A777A43CF7B59D0C0B6B46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1984543642.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1986457181.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1984543642.000000000412D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:46:50
Start date:	15/05/2024
Path:	C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation_#432768#_pdf.scr.exe"
Imagebase:	0x500000
File size:	716'288 bytes
MD5 hash:	52C3BF6B32A777A43CF7B59D0C0B6B46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4459604058.00000000028AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4458393564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4459604058.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4459604058.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	104
Total number of Limit Nodes:	4

Executed Functions

Function 05486C50 Relevance: 8.5, Strings: 6, Instructions: 1042
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJoq, xrefs: 05486DF5
xbmq, xrefs: 05486D80
Tejq, xrefs: 054874AA
4'jq, xrefs: 05487851
pnq, xrefs: 05487929
LC?;, xrefs: 0548706F

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: 4'jq$LC?;$TJoq$Tejq$pnq$xbmq
API String ID: 0-1094910315
Opcode ID: 58eb8dd3a287aa3504c483e888046a15cdd4d2b980b2add915242a71ed16582e
Instruction ID: c9a5fde0fc7908e4144891ccb442e3b8dc1ce620af0bd14be3639e0dbbcde14e
Opcode Fuzzy Hash: 58eb8dd3a287aa3504c483e888046a15cdd4d2b980b2add915242a71ed16582e
Instruction Fuzzy Hash: 5FB2C075A00228CFDB65DF69C984ADDBBB2FF89304F1581E9D509AB225DB319E81CF40

Function 072B1350 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987151767.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb45fb4194ce6c07e4f10e6c43f6d4a0a0e0c8feed666bd47f31950c02681fcb
Instruction ID: b181330c97d7ffdc15bf9bf2646fb0adaa87a906b11b9da0a4475d977578e6fa
Opcode Fuzzy Hash: cb45fb4194ce6c07e4f10e6c43f6d4a0a0e0c8feed666bd47f31950c02681fcb
Instruction Fuzzy Hash: 0A32CCB0B1120A8FDB29DB69C460BEEB7F6AF89740F24446DE4469B390DB34ED01CB51

Function 054862A0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152c5f5824e028fe85f1780931e553d3ef380b8209b4f78bbac627d9e03104f0
Instruction ID: ebb52f067f25fcfdf58cccb40cafc32fced75306779aa61d195b09957836fdc0
Opcode Fuzzy Hash: 152c5f5824e028fe85f1780931e553d3ef380b8209b4f78bbac627d9e03104f0
Instruction Fuzzy Hash: 65110671E006188BEB19DFABD8052DEBAF7BFC9300F14C07AD4196B258EB750856CA50

Function 054862B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08857fc2a27e2c03fadc600a8c81e2bef3ef5a73423ffcb621d86609ad961ff
Instruction ID: aa7480013bd37ea2e68c8b1d43dbf8aaf669956a1382911c29f1d0d44a0d2ecb
Opcode Fuzzy Hash: f08857fc2a27e2c03fadc600a8c81e2bef3ef5a73423ffcb621d86609ad961ff
Instruction Fuzzy Hash: 3411A471E046188BEB18DFABC8142DEFAF7BFC9300F14C07AD419AA258DB7409468B54

Function 010CCFD0 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010CD05E
GetCurrentThread.KERNEL32 ref: 010CD09B
GetCurrentProcess.KERNEL32 ref: 010CD0D8
GetCurrentThreadId.KERNEL32 ref: 010CD131

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a766a4efca7a98c8e40cb1143c0cb5bae32b4a812de5c8c1c011a0e237a18e93
Instruction ID: 8a259603d305b0c22c74b20c88cbe2a0effcb68fd20a9cf719fca2020e1b9e82
Opcode Fuzzy Hash: a766a4efca7a98c8e40cb1143c0cb5bae32b4a812de5c8c1c011a0e237a18e93
Instruction Fuzzy Hash: 605166B09003498FDB18DFA9D948B9EBBF5FF88304F20816DE409A7260D7389844CF65

Function 010CCFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010CD05E
GetCurrentThread.KERNEL32 ref: 010CD09B
GetCurrentProcess.KERNEL32 ref: 010CD0D8
GetCurrentThreadId.KERNEL32 ref: 010CD131

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0864afc25352e5b54378a97208eb0a0f9da126c196dacf3fc8b06faaeb7d7294
Instruction ID: 717a35c591ac9c6e1faa8a77e293ece58839b929bf5bbb5ee20cb17688182910
Opcode Fuzzy Hash: 0864afc25352e5b54378a97208eb0a0f9da126c196dacf3fc8b06faaeb7d7294
Instruction Fuzzy Hash: 6B5136B09003498FDB18DFA9D948BAEBBF5FF88304F20816DE419A7260D7389944CF65

Function 010CAD48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010CAF9E

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0df540f6fdb0abf589c1173450cc587acebf1460f4872d9ce8393d67efa23ad7
Instruction ID: 157920cc0af9266d9e0c81749b225e3f140114729f716740c248a108c85409f2
Opcode Fuzzy Hash: 0df540f6fdb0abf589c1173450cc587acebf1460f4872d9ce8393d67efa23ad7
Instruction Fuzzy Hash: FC712270A00B09CFDB64DF69D44479ABBF5BF88700F108A6DD48A9BA50E735E849CF90

Function 010C590C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010C59C9

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fe363cd87a62a0eeb1cbd86624b8197790d54f337904a8f7c410b0f9be6a5c7a
Instruction ID: fa226838c1f0e4e51b8b64f07c3bacfeb9e8c7c92ed6b498935746f81b317aa2
Opcode Fuzzy Hash: fe363cd87a62a0eeb1cbd86624b8197790d54f337904a8f7c410b0f9be6a5c7a
Instruction Fuzzy Hash: 73410FB4C00319CFDB24CFAAC884ACDBBF1BF49304F20816AD408AB260DB75694ACF50

Function 010C44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010C59C9

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6fdb9004de2d9a79e8078384ded2d7abc52276b525eacda2aa54be6985ed02bf
Instruction ID: e498a2125af12ec5973c7f9867663d0efed29f0ef86732e11ab0b0e3e770de00
Opcode Fuzzy Hash: 6fdb9004de2d9a79e8078384ded2d7abc52276b525eacda2aa54be6985ed02bf
Instruction Fuzzy Hash: 5641E2B4D00719CADB24DFAAC848ACEBBF5BF49704F20806AD408AB255DB756945CF90

Function 010CD629 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD6B7

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 38c43a7bcf8dd2e7eebfcbc2b1714a6dfa340dc3f6cab52c669c979e46e7feee
Instruction ID: b49dce72eb0410ed504d92abd4c4e9c8f6bcdaad7902ccc9dd0422bd7ce40596
Opcode Fuzzy Hash: 38c43a7bcf8dd2e7eebfcbc2b1714a6dfa340dc3f6cab52c669c979e46e7feee
Instruction Fuzzy Hash: E821F8B59002489FDB10CF9AD584ADEFFF9FB48310F14842AE958A3350C378A944CFA5

Function 010CD630 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD6B7

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ebc4d5ad37ccccd41a23bde5f265dfeae134bf02bb9c744bc2fee4a7d10098db
Instruction ID: 124a35a87dfb979c17c4e27bb059c2eb3158ad1c3a62618566c661235d286dda
Opcode Fuzzy Hash: ebc4d5ad37ccccd41a23bde5f265dfeae134bf02bb9c744bc2fee4a7d10098db
Instruction Fuzzy Hash: C521D5B59002489FDB10DF9AD984ADEFFF9FB48310F14845AE958A3350D378A944CFA5

Function 072B1F48 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 072B1FA8

Memory Dump Source

Source File: 00000000.00000002.1987151767.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3aba042a90b61732b90b92da14b8eaa4bd24c6f3152740f16459e2295a3cd21e
Instruction ID: 153ad7e58d9d3c139923ec748e7c57b081209de894dbeee5e950334fe2889982
Opcode Fuzzy Hash: 3aba042a90b61732b90b92da14b8eaa4bd24c6f3152740f16459e2295a3cd21e
Instruction Fuzzy Hash: D6218CB58003498FCB20DFA9D444BDEFFF5EB49350F24885AD658A7641D338A545CFA1

Function 010CA0D0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010CB019,00000800,00000000,00000000), ref: 010CB22A

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c79a0e216257812b8ed45181283cbff46936c2c3f52d421333df8a3b18a7f85
Instruction ID: aa11e9359d1d9c2b57db6ac889a6e139815dad8b795c729b8579d6ba289c5e30
Opcode Fuzzy Hash: 9c79a0e216257812b8ed45181283cbff46936c2c3f52d421333df8a3b18a7f85
Instruction Fuzzy Hash: F01126B68003088FDB10DF9AD448ADEFFF9EB48710F10846EE559A7250C379A545CFA5

Function 010CB1B9 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010CB019,00000800,00000000,00000000), ref: 010CB22A

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b41980c8b2a0d89e258cd528b8663010d5571fd4472121a7b9fe551104ef7985
Instruction ID: c185578beee28804755e4ec0f35696b007403963b7f1644705ea3e063f7c000f
Opcode Fuzzy Hash: b41980c8b2a0d89e258cd528b8663010d5571fd4472121a7b9fe551104ef7985
Instruction Fuzzy Hash: 891123B6C003088FDB10DFAAD844ADEFBF5EB88720F10846ED959A7210C379A545CFA5

Function 010CAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010CAF9E

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e13d97101e27c3bedf11638fc444981dfda6ae7fbaccec6d7fdb929349869d69
Instruction ID: b6cf951c4142e324d84091b31d8c859084d2ae4d078394bbc8235e7cd7839945
Opcode Fuzzy Hash: e13d97101e27c3bedf11638fc444981dfda6ae7fbaccec6d7fdb929349869d69
Instruction Fuzzy Hash: 701140B5C00249CFCB10CF9AD444ADEFBF8EF88314F10846AD858A3240D378A545CFA1

Function 072B1F50 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 072B1FA8

Memory Dump Source

Source File: 00000000.00000002.1987151767.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5ac15c86690d9ce5c5c297aa589bca5789fe957ed1d22a0bc247922cade30b01
Instruction ID: d23648d186206a2d5816a73c5824805b81d855d9e2cf3b7b61ef1053622cf342
Opcode Fuzzy Hash: 5ac15c86690d9ce5c5c297aa589bca5789fe957ed1d22a0bc247922cade30b01
Instruction Fuzzy Hash: 271133B58003498FCB20DF9AC544BDEFBF4EB48320F10842AD918A7340C338A544CFA5

Function 0548FEE0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0548FF3D

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 02bae6ae301566c83b394a1552a48418cf3f537e5dbbbde9e733fdb40eca3e17
Instruction ID: 99c33a50e7e3e2ea3179d48b96c9a6ec4915bd72c6fe6bd9de4a6aa07f2553c7
Opcode Fuzzy Hash: 02bae6ae301566c83b394a1552a48418cf3f537e5dbbbde9e733fdb40eca3e17
Instruction Fuzzy Hash: 821103B58003489FCB10DF9AD844BDEFBF8FB48310F10845AE518A3240C379A544CFA1

Function 0106D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982126142.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9359631de9f2168074af50c1668e34b9c031e7cbb4e74aef5b6952c7169f08f9
Instruction ID: 438603067383d736d935190bcc6b9deec772ee1a94b3a4516e0538b69d486ff5
Opcode Fuzzy Hash: 9359631de9f2168074af50c1668e34b9c031e7cbb4e74aef5b6952c7169f08f9
Instruction Fuzzy Hash: 83214871600244DFDB05DF58C9C0F5ABFA9FB98314F20C1A9E9890B256C73AE806C7A1

Function 0107D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982161759.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3299bbfc34e1298bc89c72634ae602b3d61b0130a777600e4d097a358473f6
Instruction ID: f47e9ca24750877ac0bc84bbbb4142bc2116cbd39f1073141cfa6a47df818eb8
Opcode Fuzzy Hash: cf3299bbfc34e1298bc89c72634ae602b3d61b0130a777600e4d097a358473f6
Instruction Fuzzy Hash: C021F571A04204EFDB05DF98D5C0B26BBA5FF94324F24C5ADD9894B256C33AD407CB65

Function 0107D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982161759.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20447a5d8f39c6028ddc56c260ad931906abc6597a9e6149c1e299a08cdd08b0
Instruction ID: ad13960cc0d70a776f055616734af62c6b8569ad9da0c1ad56f7504374f5bb2d
Opcode Fuzzy Hash: 20447a5d8f39c6028ddc56c260ad931906abc6597a9e6149c1e299a08cdd08b0
Instruction Fuzzy Hash: 44212571A04200DFCB16DF68D980B16BFA5FF84314F20C5ADE9890B256C33AD407CBA1

Function 0107D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982161759.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4405460ae52a293c97faf1d4fc2adb2248620e9783e3a8543f375a8687f46e17
Instruction ID: 9098359b5d9d2b8aaa30f2e2ac662886be6ee29c8dbc5f4a1f9c2297eec3ffc5
Opcode Fuzzy Hash: 4405460ae52a293c97faf1d4fc2adb2248620e9783e3a8543f375a8687f46e17
Instruction Fuzzy Hash: 272165755093808FD713CF64D594715BFB1EF46214F28C5DAD8898F667C33A980ACBA2

Function 0106D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982126142.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: c495165a07be342fbee8c0a19b3a496aa640a60f98b9cbedfbdea9aa7040785f
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 19110372504240CFDB02CF44D5C4B56BFB1FB88324F24C6A9D9890B257C33AE85ACBA2

Function 0107D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982161759.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: e13e34b5ec51edd3c26ada1358e668545c2c1f6abd6984447acc7fcb7604cc5a
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 6611BB75904280DFDB02CF54C5C4B15BFA1FF84224F28C6A9D9894B296C33AD40BCB62

Function 0106D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982126142.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4066cff972461121eb2b7a73fe436369ec9c4708fd70d7809267cb8d45b965f0
Instruction ID: e3eee54d07cee075101ab746dafbd3031eb56026d9d0ef7450bab39eeb375629
Opcode Fuzzy Hash: 4066cff972461121eb2b7a73fe436369ec9c4708fd70d7809267cb8d45b965f0
Instruction Fuzzy Hash: A701F7312043849AE7618E99CC84B6AFFDCFF55320F18C46AEDC80A296D23D9840CB72

Function 0106D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982126142.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6202b8c1ea3409ce8ec8a8561f3a76cae1d2114efe7f1aadcb044e72a542c270
Instruction ID: f1dcd9c9e665f01e71d2719b11c1bcb0fcb406c8686104f3a4c0197cf721983d
Opcode Fuzzy Hash: 6202b8c1ea3409ce8ec8a8561f3a76cae1d2114efe7f1aadcb044e72a542c270
Instruction Fuzzy Hash: C2F0C2715043849EE7218E0ADC84B62FFECFF55624F18C49AED884B396D2799844CBB1

Non-executed Functions

Function 05486C3F Relevance: 4.0, Strings: 3, Instructions: 247COMMON

Download Yara Rule

Strings

TJoq, xrefs: 05486DF5
xbmq, xrefs: 05486D80
Tejq, xrefs: 054874AA

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: TJoq$Tejq$xbmq
API String ID: 0-903294719
Opcode ID: 805a46b0003557e86668ecc291beb2cbab37507707361c5329abaf286b311090
Instruction ID: a78843f58e0e31ed29cfe26608fe7acbd22d3125ce0377ad38bef45f1636a3b2
Opcode Fuzzy Hash: 805a46b0003557e86668ecc291beb2cbab37507707361c5329abaf286b311090
Instruction Fuzzy Hash: EFC17475E006188FDB58DF6AC954ADDBBF2BF89300F14C1A9D809AB365DB309A85CF50

Function 054869B6 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

4'jq, xrefs: 05486A89

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: dce06871ff8ecd9207856d4aee851d2f5df124f1128ee90514a332f3bbd0c7dc
Instruction ID: 8c5cab4b4b1737e8c6410022f8632d16b00bc2a422e8bc010e057b08219f89a1
Opcode Fuzzy Hash: dce06871ff8ecd9207856d4aee851d2f5df124f1128ee90514a332f3bbd0c7dc
Instruction Fuzzy Hash: A1611A70E40209CFDB08EF6BE951A9EBBF6BF98304F14C529D0089B269DB745949CF81

Function 054869B8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'jq, xrefs: 05486A89

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 3e12020a80fdd3ec7a1e33579c0f1e8608b18957cffd9d518e7a8da9a533f585
Instruction ID: b2cca145e6862ae9f8435de38e2970ef031055e85aa85c631cd11bfd6d8e382f
Opcode Fuzzy Hash: 3e12020a80fdd3ec7a1e33579c0f1e8608b18957cffd9d518e7a8da9a533f585
Instruction Fuzzy Hash: 6C610B70E40209CFDB08EF6BE951A9EBBF6BF98304F14C529D0049B269DB745949CF91

Function 010CD55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982283531.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429c13a321ab6ff14931ac6b653e12b642eadc5532da4afc8142218f7aa9abec
Instruction ID: ab8305016f23e929dc801d505aea2f1abdf4e9cde4650698abb1e748b13fdba2
Opcode Fuzzy Hash: 429c13a321ab6ff14931ac6b653e12b642eadc5532da4afc8142218f7aa9abec
Instruction Fuzzy Hash: 0DA14B32A002168FCF19DFB9C94459EBBB2FF85700B1581AEE906AB265DB31D945CF41

Function 05488160 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fee1646c61edad33aa18119aeed2bcf7781344e94cf84ffaae08eac507a3fc
Instruction ID: 4adae8486f87f14e168b51716d0a50fade49ce625ed9b3d0cb542130c07325f5
Opcode Fuzzy Hash: 77fee1646c61edad33aa18119aeed2bcf7781344e94cf84ffaae08eac507a3fc
Instruction Fuzzy Hash: 20414671D05A188BEB5CCF6B9D406DEFAF3AFC9301F54C1BA980CAA255DB3049469F11

Function 05488150 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1985803064.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010126d1bac00afa0fc67c839fba2c5fa707998ee627e9505c29a7798ac433da
Instruction ID: de71a92c873471bc91a39ddd5918abf6a6250fc21b0bc07a735a75d51479139c
Opcode Fuzzy Hash: 010126d1bac00afa0fc67c839fba2c5fa707998ee627e9505c29a7798ac433da
Instruction Fuzzy Hash: CC415571E05A588BEB5CCF6B9D406DAFBF3AFC9301F14C1BA884CAA225DB3005469F00

Analysis Process: Quotation_#432768#_pdf.scr.exePID: 5880, Parent PID: 6388COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	131
Total number of Limit Nodes:	15

Executed Functions

Function 065A3130 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 065A383B
$jq, xrefs: 065A387C
$jq, xrefs: 065A3864
$jq, xrefs: 065A3888
$jq, xrefs: 065A3858
$jq, xrefs: 065A382F

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3356825164
Opcode ID: de53efe8c4b27bf73f92a332b58d638ed0df8a07f9c0f26fa28ed98264401ffe
Instruction ID: 0bdb3ace2fa8222f5c6fe30ed938b281e6f671f278ae679e1c921040329ca422
Opcode Fuzzy Hash: de53efe8c4b27bf73f92a332b58d638ed0df8a07f9c0f26fa28ed98264401ffe
Instruction Fuzzy Hash: 4C321F30E1071ACFCB14EF65D95459DB7B6FFC9300F2586AAD409AB264EB30A985CF50

Function 065A7E40 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 065A8189
$jq, xrefs: 065A817D

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 6e33c0403d535080502fda89c36199926d5a823b808549036b51131b9a2f5baf
Instruction ID: 590bc4af70398d7048a6b3740e78a627b074aa1da5c49f17ee7d3ad7f015fd4a
Opcode Fuzzy Hash: 6e33c0403d535080502fda89c36199926d5a823b808549036b51131b9a2f5baf
Instruction Fuzzy Hash: 8B02AD30B002058FDB58DF64E990AAEB7F6FF84304F248569D416AB395DB35ED46CB90

Function 065A5678 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

$, xrefs: 065A5CFD

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: c061874df15bf43634d75e9120435b46df8232656885b8de7b66c7faeeb146c6
Instruction ID: 20c97520dbe32ddda76f9c23256add4f7d969e3931c3026fbe3e99df102914ec
Opcode Fuzzy Hash: c061874df15bf43634d75e9120435b46df8232656885b8de7b66c7faeeb146c6
Instruction Fuzzy Hash: C122D271E003159FDF60DBA4C590AAEBBB2FF84320F24846AD40AAB355EA35DD45CF91

Function 065AC248 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555fdeee0d853835cd5bf3b622403790ae10c3a461361148c71b12eede4a41dc
Instruction ID: 4e596a22abcdf139aacc9b96610439ced70eca5b0fb56c45b295450e50e1af32
Opcode Fuzzy Hash: 555fdeee0d853835cd5bf3b622403790ae10c3a461361148c71b12eede4a41dc
Instruction Fuzzy Hash: 8A328D34A002099FDF54DB68D980BAEB7B6FF88310F148969E405EB355DB35EC45CB91

Function 065AB2FD Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064d3182fe11351b390bf28b0ce6e1324fbb20c98dc7e4d0ee5e82f9c3ced5b9
Instruction ID: 34129cf8d5c591b403bb1c92c507103ecf5f159c8fa28cbc9bb70619becc1684
Opcode Fuzzy Hash: 064d3182fe11351b390bf28b0ce6e1324fbb20c98dc7e4d0ee5e82f9c3ced5b9
Instruction Fuzzy Hash: 5B126070E102098FEFA4DB68D5807ADB7B6FB89310F64892AE405DB395DA35DC81CB91

Function 065AB710 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 065ABCA3
$jq, xrefs: 065ABC6F
$jq, xrefs: 065ABC47
$jq, xrefs: 065ABC7B
$jq, xrefs: 065ABC3B
$jq, xrefs: 065ABCAF

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3356825164
Opcode ID: 17bb0d5ff77537c819561f599ef6c2e5030c8420ad389a71d84ef2dfd0421565
Instruction ID: cf1336e1b1d51b4ad32ec4839001d40c5bb4ffe05cb88dfc9cda10ab7b2418a8
Opcode Fuzzy Hash: 17bb0d5ff77537c819561f599ef6c2e5030c8420ad389a71d84ef2dfd0421565
Instruction Fuzzy Hash: 5E027A30E0030A8FDBA4CF68D590AADB7B2FF85310F64896AE415EB255DB35EC45CB91

Function 06592862 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 065928EE
GetCurrentThread.KERNEL32 ref: 0659292B
GetCurrentProcess.KERNEL32 ref: 06592968
GetCurrentThreadId.KERNEL32 ref: 065929C1

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 072d5fd0c72d2952b0cce73637c1232c1750a199c9c8f9fcea5bdc6bf7c14133
Instruction ID: 531943c4e1a43d1fee69c2e83bb9de768973a3e1e7a14ccf9304d1e4e56a0c82
Opcode Fuzzy Hash: 072d5fd0c72d2952b0cce73637c1232c1750a199c9c8f9fcea5bdc6bf7c14133
Instruction Fuzzy Hash: BA5146B09003499FDB54DFAAD948BAEBBF5FF48304F208459E409B72A0D734A984CB65

Function 06592870 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 065928EE
GetCurrentThread.KERNEL32 ref: 0659292B
GetCurrentProcess.KERNEL32 ref: 06592968
GetCurrentThreadId.KERNEL32 ref: 065929C1

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c99e4b9a4315e53bcdcae10784df3ef0bcb1c7103195502b4333bb617ecbbcd5
Instruction ID: 23ee1e947891bae217df43bb9e55e43df8e068087387362d940a115226e9d316
Opcode Fuzzy Hash: c99e4b9a4315e53bcdcae10784df3ef0bcb1c7103195502b4333bb617ecbbcd5
Instruction Fuzzy Hash: 3A5146B09002499FDB54DFA9D948BAEBBF5FF48314F208459E409B73A0D734A984CF65

Function 065A9218 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 065A9288
$jq, xrefs: 065A92CF
$jq, xrefs: 065A9294
$jq, xrefs: 065A92C3

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: e61240a3e64af92c8b0957258ef57f87160cb6ba098db13fb9d4c686706b4f17
Instruction ID: 05042699e4c43f120a09b3f6f02d05f0a96765a2c3e6b4050eba6748b80cd6d5
Opcode Fuzzy Hash: e61240a3e64af92c8b0957258ef57f87160cb6ba098db13fb9d4c686706b4f17
Instruction Fuzzy Hash: 76917F30B1061A8FDF98DF78D9507AEB3B6BF85200F108569D809EB358EA35ED45CB90

Function 065ACFF8 Relevance: 4.6, Strings: 3, Instructions: 806
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 065AD3EF
$jq, xrefs: 065AD3F7
$jq, xrefs: 065AD403

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq
API String ID: 0-3696375380
Opcode ID: 51f3ff288243f00d89b8f5d4c5244415ae0ab7a37b89e1df35e6379572f66849
Instruction ID: 39f85fef4fb380f3632e8459d18e12fa33ab85cc8357d0ca7550c5b6c10bb96d
Opcode Fuzzy Hash: 51f3ff288243f00d89b8f5d4c5244415ae0ab7a37b89e1df35e6379572f66849
Instruction Fuzzy Hash: 4A623130A006068FCB55EF68E690A9DB7B6FF84300F248A69D4059F769DB75ED46CF80

Function 065A4C40 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPoq, xrefs: 065A4D6D
foq, xrefs: 065A534D
\Ooq, xrefs: 065A4DF7

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: foq$XPoq$\Ooq
API String ID: 0-3137531485
Opcode ID: 2af388a33f610714c49095f1ca39e1cb92a08316dec830b9c91239ce9ed1bfc8
Instruction ID: e1d0f61f76fff7a87f6fe42769049551e8e38a32263293a4794e09a15bfff865
Opcode Fuzzy Hash: 2af388a33f610714c49095f1ca39e1cb92a08316dec830b9c91239ce9ed1bfc8
Instruction Fuzzy Hash: 21617170F002099FEB549FA5C855BAEBBF6FF88300F20842AD10AAB395DA758D45DB51

Function 065A9208 Relevance: 2.7, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 065A9288
$jq, xrefs: 065A92C3

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 0ef40a57ea122c6d9782b8c703af0f8f4219df5bfd5e6b9cf5b718f6409be799
Instruction ID: 8d58985fdb1468919cb7f7514caf68ae7e2cc3d166810217dd70e210172f7b94
Opcode Fuzzy Hash: 0ef40a57ea122c6d9782b8c703af0f8f4219df5bfd5e6b9cf5b718f6409be799
Instruction Fuzzy Hash: 6D514D30B142169FDF98DB78D950AAE77BAFBC5200F14856AD809DB358EA35AC418B90

Function 0659AEF0 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0659B156

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f0dbc5eb0c13898a21387aecf9486bab1520f92dee23a62b0c53fe2438910a8e
Instruction ID: d990e826d6ba90bea6592760f2e9c79100743d15d258415b655315d9adc8d0d5
Opcode Fuzzy Hash: f0dbc5eb0c13898a21387aecf9486bab1520f92dee23a62b0c53fe2438910a8e
Instruction Fuzzy Hash: 688144B0A00B058FEB64DF6AD54475ABBF5FF88204F108A2ED49AD7A50D775E805CFA0

Function 0269EAC1 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4459434333.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2690000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c944680d9ae4eb99d5847727aa451abdf04878b64484bc1a8826a4a5cd2f8d40
Instruction ID: c7d37c8c4bb62c751843656c00ab0723d5a9202c3db9c6bebc2ead42435f68e9
Opcode Fuzzy Hash: c944680d9ae4eb99d5847727aa451abdf04878b64484bc1a8826a4a5cd2f8d40
Instruction Fuzzy Hash: F8413171D043999FCB15DF69D8046AEBBF9AF89310F04856BD908A7341EB78A840CBE1

Function 0659D0C4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0659D1E2

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 697d509977faac51b6945d79ed1fbba3b4f28bd5e50865330c0d53e2d1690f4e
Instruction ID: c11a0611e85dd412db0ad661cd343711ccf5dec80ebb361c8d4a88ae3804effb
Opcode Fuzzy Hash: 697d509977faac51b6945d79ed1fbba3b4f28bd5e50865330c0d53e2d1690f4e
Instruction Fuzzy Hash: 9151B1B1D003499FDF14CF99D984ADEBBF5BF49310F24862AE818AB210D7749985CF90

Function 0659D0D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0659D1E2

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6b8f415853aeff34619735d9b5fb7233228810613207e8159f0c65aaeaab43cf
Instruction ID: 3c0e4b5ce04eb65868a8f1f5cad048915aadaa4b2993f1cb96b9efba4829da7c
Opcode Fuzzy Hash: 6b8f415853aeff34619735d9b5fb7233228810613207e8159f0c65aaeaab43cf
Instruction Fuzzy Hash: B141B2B1D003499FDF14CF99C984ADEBBB5FF49310F24862AE818AB210D7759885CF90

Function 0659A5BC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0659F8E1

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 64306c8153560d9c9e4657f4446edfe05f275c0b9373311a320b8a617f2040fe
Instruction ID: ef0b35167ed54546ed2c0121f6cbd5401b59601f178551fa6ffd92590e1de9c2
Opcode Fuzzy Hash: 64306c8153560d9c9e4657f4446edfe05f275c0b9373311a320b8a617f2040fe
Instruction Fuzzy Hash: FC410BB5900309DFDB54DF99C888AAABBF5FF88314F24C859D519AB321D774A841CFA0

Function 06592AB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06592B3F

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2e1d76a01ec7d9d395f51f5f96ec224e1cb8ee7958999fa1a1630778dfb12355
Instruction ID: 87350469f43808c808d028daa4ff12bf442ecb7b3d06a4f36c9ab428a26a9351
Opcode Fuzzy Hash: 2e1d76a01ec7d9d395f51f5f96ec224e1cb8ee7958999fa1a1630778dfb12355
Instruction Fuzzy Hash: 1F21E4B5D00248AFDB10CFAAD584AEEBBF5FB48310F14841AE918A7350D378A940CFA0

Function 06592AB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06592B3F

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2563b318568f7b39a1881de5d68704f20e55a1fa6c7181f195fd39947a2c702
Instruction ID: 6b46ef3e3e21dceb0e55ae19a7e2effa694ab6a62ad002cb0638e26eddd48742
Opcode Fuzzy Hash: e2563b318568f7b39a1881de5d68704f20e55a1fa6c7181f195fd39947a2c702
Instruction Fuzzy Hash: AA21C4B5D00248AFDB10CF9AD984ADEFBF9FB48310F14841AE918A7350D378A944CFA5

Function 0659A2F8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0659B1D1,00000800,00000000,00000000), ref: 0659B3C2

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 972a6ba3d353a06a99586d311e5ccfc2785ead01edd6abe523ca3a00d854b218
Instruction ID: d2fd370073c6c42cc5ba7f811dab65db3474decacde4281f242af03be6f5f140
Opcode Fuzzy Hash: 972a6ba3d353a06a99586d311e5ccfc2785ead01edd6abe523ca3a00d854b218
Instruction Fuzzy Hash: E611E4B6D003499FEB10DFAAD444A9EFBF4FB88310F14842ED519A7600C379A545CFA5

Function 0659B352 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0659B1D1,00000800,00000000,00000000), ref: 0659B3C2

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e78242b23bb41d09104c3bfaf2b956b8953414f9c9a74261c2de4e003d199c39
Instruction ID: adc4dc7e8e63e0a8fdd790f84f2f8f3bd11cc9719e0ed9c1c1ded20ec4f52737
Opcode Fuzzy Hash: e78242b23bb41d09104c3bfaf2b956b8953414f9c9a74261c2de4e003d199c39
Instruction Fuzzy Hash: 611112B6C003099FDB20DFAAD844A9EFBF8FB88310F10842ED519A7200C379A545CFA4

Function 0269EBA8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0269EC0F

Memory Dump Source

Source File: 00000003.00000002.4459434333.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2690000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 05f1563632c33df9bb735aec26411846bc69be7cb08ebbfcd29cc3648b363c96
Instruction ID: 03a356b112907172cb711b2400610a16fce3921f9f577ae884a230fe4c27aa20
Opcode Fuzzy Hash: 05f1563632c33df9bb735aec26411846bc69be7cb08ebbfcd29cc3648b363c96
Instruction Fuzzy Hash: 4E11EFB1C006599FCB10DF9AC544AAEFBF8FF48320F14856AD818A7240D778A944CFA5

Function 0659B0F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0659B156

Memory Dump Source

Source File: 00000003.00000002.4464222370.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6590000_Quotation_#432768#_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f4f6b8ce3e795fe63764312c02746f0314a23fb8b84ddc19b5eadf836a2359d7
Instruction ID: f70a874cdfa5e7996c47e44f450e9318b9d6d9f2a095d8c7caa2b3723cad36f3
Opcode Fuzzy Hash: f4f6b8ce3e795fe63764312c02746f0314a23fb8b84ddc19b5eadf836a2359d7
Instruction Fuzzy Hash: 0A11DFB5C002498FDB10DF9AD844A9EFBF4FB89210F14842AD429A7210D379A545CFA5

Function 065A4C30 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

XPoq, xrefs: 065A4D6D

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: XPoq
API String ID: 0-2250694691
Opcode ID: 61da4a651ff84e50eeb4dd39ee6be14d14b58cc5fbe6c83e4583cdbbbc04588f
Instruction ID: 7f7f71deffcc8ed86222aa92da31e3145cf2a2fb1c649484729c5cab48803d2a
Opcode Fuzzy Hash: 61da4a651ff84e50eeb4dd39ee6be14d14b58cc5fbe6c83e4583cdbbbc04588f
Instruction Fuzzy Hash: FD414E70B002089FDB55DFA5C815BAEBAF6FF88700F20C52AE506AB395DA758C05DB91

Function 065ADB6D Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

PHjq, xrefs: 065ADCC9

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: PHjq
API String ID: 0-751881793
Opcode ID: 351e906f14526770965a6f539b4e9bd590d923c8b0600d4d551a18668bdbb00b
Instruction ID: 7bdbba8a1462cdc993e48b9ee794f7acc38945f133facab8d3320bb0c9f92738
Opcode Fuzzy Hash: 351e906f14526770965a6f539b4e9bd590d923c8b0600d4d551a18668bdbb00b
Instruction Fuzzy Hash: FE418070E003099FDF54EF65D99469EBBB6BF85300F248629E405EB650EBB4D846CF90

Function 065A2290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHjq, xrefs: 065A23CB

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: PHjq
API String ID: 0-751881793
Opcode ID: 92068cbdec9ed0b01894e43fb31685c7300012aaa9502757a7684c2233619cb6
Instruction ID: a0136497c985cf0388327db8c7d5070666976a1b562a95393429021d21b71a94
Opcode Fuzzy Hash: 92068cbdec9ed0b01894e43fb31685c7300012aaa9502757a7684c2233619cb6
Instruction Fuzzy Hash: 1931BE30B002058FCB59AB34D95576F7BA6BF8A300F288469D406DB395DF75DE4ACB90

Function 065A6AE0 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2b31638f30a6e4a25bcee162422ce769e76d8fce08e2b76585e6ae0ad99d7d
Instruction ID: 099643551677931f9003e2406e13e09c0093403085d0085ade624439fe20143f
Opcode Fuzzy Hash: 3c2b31638f30a6e4a25bcee162422ce769e76d8fce08e2b76585e6ae0ad99d7d
Instruction Fuzzy Hash: 79029C34B002048FDB54DB68D954AAEB7F6FF88314F188869E41AAB395DB35ED45CF80

Function 065A62B8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fda67319dbddb2ba87c867b7b0963f3b0bbff0377311ba3dd1b0fb8005228b
Instruction ID: 54fd86f45047666d74a4eccccec48e98325f81acc73d73058fc885de077be4df
Opcode Fuzzy Hash: e3fda67319dbddb2ba87c867b7b0963f3b0bbff0377311ba3dd1b0fb8005228b
Instruction Fuzzy Hash: CE619371F002114BDF549A6DC88466EBADBEFC4610B594439E80ADB378DE75DD0287D1

Function 065A4690 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7decb1b204139171ea05433ca97c3232cc2b26f509e84ec09c9a5013614b2ec9
Instruction ID: 494f78f538de0ab443f8de2a81f6ee35b885fc5ebd0272d90a674f2c43cf2d87
Opcode Fuzzy Hash: 7decb1b204139171ea05433ca97c3232cc2b26f509e84ec09c9a5013614b2ec9
Instruction Fuzzy Hash: 87915E30E102198FDF60DFA8C950B9DB7B1FF89310F208699D549AB295DB70AA85CF91

Function 065A4385 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3ae95d01ea745183911ad364127a919dc1a6b961645c216b1cd5d016e0be3b
Instruction ID: 353e4230b18972cb80dc4a2fbc8090052e454082d7c10e5259a25bf05ac67606
Opcode Fuzzy Hash: bd3ae95d01ea745183911ad364127a919dc1a6b961645c216b1cd5d016e0be3b
Instruction Fuzzy Hash: DA811C30B006098FDF54DFA8D5546AEB7F6BF89300F248569D40AEB398EB74EC468B51

Function 065A46A8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528f16888c558aaa732e063d2b0909d35e983ca867e4c3fc3ec48563ea61cc2f
Instruction ID: 67c3bf7be1b0fda1c3dde129952b0107bef1f1396f8e7a0c93dab5129ca498ad
Opcode Fuzzy Hash: 528f16888c558aaa732e063d2b0909d35e983ca867e4c3fc3ec48563ea61cc2f
Instruction Fuzzy Hash: 5B914D30E102198FDF60DFA8C990B9DB7B1FF89300F208599D549AB355DB70AA85CF91

Function 065AEBD8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f451cd43d08783369e67cc6ef5899b886e7b45ab9f823f309c9a6b7ca071473e
Instruction ID: 10d3a2fc7bd4404576d5e161780a46ead6a0595aed364ef1a3aa849d1c807355
Opcode Fuzzy Hash: f451cd43d08783369e67cc6ef5899b886e7b45ab9f823f309c9a6b7ca071473e
Instruction Fuzzy Hash: 24712B30A002099FDB54DFA9D991A9EBBF6FF84300F248429E419EB365DB30ED46DB50

Function 065AFC60 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2415b56c510affb19054b9041c90193667e3cca44c957592be3f27087174a8
Instruction ID: 1048868a2571aa0e4d6c236dc28048884b3dcd997e4eddd88a60f5bb7a3fbfba
Opcode Fuzzy Hash: 0c2415b56c510affb19054b9041c90193667e3cca44c957592be3f27087174a8
Instruction Fuzzy Hash: B051E131F01206DFDFA4AB78E8546AEBBB2FF85315F208869E506D7250DB319845CB90

Function 065AFA11 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21e75c4c24c0ca72fa41155d63d55838672ad8c97cca470e436ade2873151a9
Instruction ID: 418c9cf67e62c4e3f589bc793839cf0284dbccb6c8d90359eebd9e5cc0acb105
Opcode Fuzzy Hash: e21e75c4c24c0ca72fa41155d63d55838672ad8c97cca470e436ade2873151a9
Instruction Fuzzy Hash: C551F870B503188FEF64666CD954B6F275FE789310F10492AE40AC73E9DA7CCC058BA1

Function 065AFA20 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3987a771092a539b8e379d47d003302003c42df9c80a6d350cfbb6fea4b7cc
Instruction ID: c0d2654697b87d0f3345ec12032b77f5d1764e9c8b2072f82327cf0d35db27bf
Opcode Fuzzy Hash: 8e3987a771092a539b8e379d47d003302003c42df9c80a6d350cfbb6fea4b7cc
Instruction Fuzzy Hash: 9951E770B503088FEF64666CD95472F365FEB89310F204929E50AC73E9DA7CCC458BA2

Function 065A54E9 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c1bf87945466e809bad5d0a44b43de62d2714c72cc79379a4b6a9733a03032
Instruction ID: 2613ce5b1d3aa83710887aa742a76f90cd45ddf264e28c9ed15e6803e8a0733f
Opcode Fuzzy Hash: 75c1bf87945466e809bad5d0a44b43de62d2714c72cc79379a4b6a9733a03032
Instruction Fuzzy Hash: C8414071E007099FDF60CFA9D880AAFF7B6FB99310F10492AD216D7650E631E8458F91

Function 065ADA20 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eac6dbf6ee264d462f5e8c2ce1868c9b07064560ff4b8e400ccc9795dcec13d
Instruction ID: 0976189f253f8fffac558f5069f2e4919773d3ae1479e966f21e024e5d64fa21
Opcode Fuzzy Hash: 8eac6dbf6ee264d462f5e8c2ce1868c9b07064560ff4b8e400ccc9795dcec13d
Instruction Fuzzy Hash: 7B317430E1070A9FDB14DF64D980ADEBBBAFF85304F108A29E405AB754DB71E946CB90

Function 065AAFE0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b1d41c5d9e66327e404a7fbeb63db9196fd1c01330624488abc1c6bddf1a8f
Instruction ID: 251cc83455782ee0dffbf33a1d4fedcd06c220876fec04d0679b40b8ec06eab9
Opcode Fuzzy Hash: b0b1d41c5d9e66327e404a7fbeb63db9196fd1c01330624488abc1c6bddf1a8f
Instruction Fuzzy Hash: F5317C31E1031A8BEF64DFA9D9406EEBBB5FF85314F10892AD819EB200D771A945CBC0

Function 065A2143 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5a1e7f49eda2e81bc261d96752994637895e0b20fc4ef60fc53a51d5e3b6c2
Instruction ID: f182f70527614acab1623c94b6a764cf32ddaae9bb96d0d51e544d494046a589
Opcode Fuzzy Hash: 6a5a1e7f49eda2e81bc261d96752994637895e0b20fc4ef60fc53a51d5e3b6c2
Instruction Fuzzy Hash: E6318D30E102099FDB19CF64D995AAEB7B6BF89300F10C529E916EB354DB71ED82CB50

Function 065A214B Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569391fab73bea7492b39163adb2decc73d893317a16377d30b5cdd519132ba4
Instruction ID: fa23099a7c6af001d356e1699d0d7645fd9a2d589e5f147169f6238565b0def2
Opcode Fuzzy Hash: 569391fab73bea7492b39163adb2decc73d893317a16377d30b5cdd519132ba4
Instruction Fuzzy Hash: 59318D30E102099BDB19CF64D995AAEB7B6BF89300F10C529E916EB354DB71ED82CB50

Function 065A2150 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7294cef9fca0cb0d1dd61b5f98070a335f955b6dd0a549667544366ad8a21ff
Instruction ID: 38d85c84ee185a8663ccdbbc0399482d1e937a1798c260c3dd7e7a1ade692ebd
Opcode Fuzzy Hash: b7294cef9fca0cb0d1dd61b5f98070a335f955b6dd0a549667544366ad8a21ff
Instruction Fuzzy Hash: 01319C30E102099BCB19CFA4D995AAEB7F2BF89300F10C529E916EB354DB71ED42CB50

Function 065A5668 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56994706a20727a4893ae89aa1340ceb04324dd8e0543c05a1843a79c20c6c00
Instruction ID: 0262cc43a1c7a6ddf613d2228e8b58332bce9b1f2c68d60c4276241717bca6b0
Opcode Fuzzy Hash: 56994706a20727a4893ae89aa1340ceb04324dd8e0543c05a1843a79c20c6c00
Instruction Fuzzy Hash: 7E21A175E003018FDF708AA9D880B7EBBB2FB85360F20893AD55AD7281E635D841CB91

Function 065A3B71 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72192239c6ad039ec5b97addb07a2c5034b01d425b264639917ea21a846ec2fe
Instruction ID: d45b4ba6a0ae3d61759e1dcca6842347fa482cecc202b80f5d8b55a79e368917
Opcode Fuzzy Hash: 72192239c6ad039ec5b97addb07a2c5034b01d425b264639917ea21a846ec2fe
Instruction Fuzzy Hash: 4221AD74F016199FDB10CFB8E840AEEBBF5BB48310F148066E905E7354EB35D8818BA0

Function 065A3B80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a955a33759bc79b486b09fd01b43cd5f9b2f42a38bc465d44817cdb773df45
Instruction ID: ecd04527ec5f0e491c4c12c69145d7536d8913dcf1651cd2598f518f8ed58d70
Opcode Fuzzy Hash: 04a955a33759bc79b486b09fd01b43cd5f9b2f42a38bc465d44817cdb773df45
Instruction Fuzzy Hash: 1C21A975F007199FDB44DFA9D980AAEBBF5FB48300F14816AE906E7354E735D8408B94

Function 00C8D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4459199546.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2944d21cef8d4622a1e671b02fc324c6784e8b107efd4fbd3dd832ca05132807
Instruction ID: 65979768419a62523d6fa18c6ef6dca97af0779bd51289f4a61c91247a92e048
Opcode Fuzzy Hash: 2944d21cef8d4622a1e671b02fc324c6784e8b107efd4fbd3dd832ca05132807
Instruction Fuzzy Hash: E921F271504204EFCB14EF14D980F26BBA5FB84318F24C669D90A4B296C33AD846CB66

Function 00C8D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4459199546.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66214d95e2444df49f34dceb4e165d6a9ef2b5cb8c3d73e00d9ab488f05c4bf5
Instruction ID: f29b5e390a043297f183aa8954914daa07cb14f513a42b201f1db452b4014db1
Opcode Fuzzy Hash: 66214d95e2444df49f34dceb4e165d6a9ef2b5cb8c3d73e00d9ab488f05c4bf5
Instruction Fuzzy Hash: DD214B7110D3C09FCB039B24D994711BF71AB46214F29C5EBD8898F2A7C33A980ADB62

Function 065A3C90 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7976cca675fccfd7ab61af46dff9048993426bde90062ead56da4879cb946f10
Instruction ID: 9cc987416dd0e0663239b53cf8b827a69bd4d10b3ead74af14a80a713065b2ec
Opcode Fuzzy Hash: 7976cca675fccfd7ab61af46dff9048993426bde90062ead56da4879cb946f10
Instruction Fuzzy Hash: 2311E131B045258FCF949B68D9146AE73EBEBC8600F018479D506EB344EE34DC028BD0

Function 065AEE49 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9ae38f4845102a3e5ae2d0f80db38c18b285e8836361dc2194cce2b765016d
Instruction ID: c31c139779f31dce9eb636905781bcf043aebb2c679daca8211f5531bd761f2a
Opcode Fuzzy Hash: ad9ae38f4845102a3e5ae2d0f80db38c18b285e8836361dc2194cce2b765016d
Instruction Fuzzy Hash: 8A01F531B002515BDB66DB7CE891B2EB7DADBCA610F14C869E40ACB345DA24DC058792

Function 065AA3C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5d1f11eb115b8e7e7c610b520acd6958383685ce588938b415e3edfdc2faf0
Instruction ID: c2b19b8cfd6a538a7eaed3679e5e722b672330999ec2517dffad786f576719a1
Opcode Fuzzy Hash: ae5d1f11eb115b8e7e7c610b520acd6958383685ce588938b415e3edfdc2faf0
Instruction Fuzzy Hash: A4015230B007101FDB65EA78D854A6F77EAEBC6610F10C4AAF50ACB356DE15DC01C791

Function 065A3948 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b4a29f1bf48feee09e80f393009a78942be07c81a40a362313bba62f917996
Instruction ID: e87489a891894e3b98b14689ebdfe62f0ad11555f7a5c5f7e91778a0dcfc5bc6
Opcode Fuzzy Hash: b1b4a29f1bf48feee09e80f393009a78942be07c81a40a362313bba62f917996
Instruction Fuzzy Hash: 1B2108B5D01219AFCB10DF9AD984ADEFFB8FB48310F10862AE518A7200C374A544CFE5

Function 065A3C7F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11160d1f4cfbb974d8d592fae455aa83fc67536bb9aae580bf6a4bff5a0137bb
Instruction ID: 76f86de747bf711c0f93fa81a43294acb35b0b31daeceb8216c385d95e5bb1c8
Opcode Fuzzy Hash: 11160d1f4cfbb974d8d592fae455aa83fc67536bb9aae580bf6a4bff5a0137bb
Instruction Fuzzy Hash: 5A014731B141259BDF949668DC246EF37AFEBC5600F01403AE50AE7244FE648C028BE1

Function 065A3950 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915d159a12b6ec77a0169351db7cfb113c5bcf5738a2287312b23f5d985ffffe
Instruction ID: 997b83b4d08baed511f36c049261e26d0d2303a381e690cb5728a59783ffad6f
Opcode Fuzzy Hash: 915d159a12b6ec77a0169351db7cfb113c5bcf5738a2287312b23f5d985ffffe
Instruction Fuzzy Hash: DA11D3B1D01219AFCB00DF9AD984ADEFFB4FB49310F10812AE518A7200C374A544CFA5

Function 065A42E0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3471a7d588fa59b996e81828a11dd85b3515eab32db905b3b8dea59097d96956
Instruction ID: 1b9ef74f1fb6860f5226dbf6adcdb7d2ddfcd0a4cba895770c84df91eb6085ae
Opcode Fuzzy Hash: 3471a7d588fa59b996e81828a11dd85b3515eab32db905b3b8dea59097d96956
Instruction Fuzzy Hash: 1E018131B001101BDB64D6BDD85076FA3DAEBC9721F10C43AE10EC7355EEA5EC424795

Function 065AEE58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6d51a3e7e5cfcc995c1e5672669e2cec1e9708f30bd6a4d4b7cdc3c2d15194
Instruction ID: c8393b950ed8e5fe38b0e2fde7442be4610364e205d3609a6671169769fafb03
Opcode Fuzzy Hash: ab6d51a3e7e5cfcc995c1e5672669e2cec1e9708f30bd6a4d4b7cdc3c2d15194
Instruction Fuzzy Hash: C601AF31B101111BDBA5967DE851B2FA3DAEBC9A20F10C839E50ECB384DE25DC025791

Function 065AA3D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ce01470c5577816a2df42cd9fb456a30cb02c1d64cbaa55baa3b6ac41dafda
Instruction ID: ab48a680be829dd7c0c081c92f3d95dbd541596a6544732f330be2a6314b6aa0
Opcode Fuzzy Hash: 78ce01470c5577816a2df42cd9fb456a30cb02c1d64cbaa55baa3b6ac41dafda
Instruction Fuzzy Hash: B3013130B006155BDB65EA7CE85471F73EAEB89620F108479F60ACB354EE26EC01CB91

Function 065A6539 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3dd4feb603fb13ee7121a2581454ffebd3245a1959d1d9d322028f8017ed5e3
Instruction ID: bdd0cfbcbaea8ff408996f748c3744503bb2a0ce5a2df4c260603b634e4316f0
Opcode Fuzzy Hash: c3dd4feb603fb13ee7121a2581454ffebd3245a1959d1d9d322028f8017ed5e3
Instruction Fuzzy Hash: 22E09AB0E24309ABDF50CA70C90975E7AADE746204F6489B6E808C7142F17ACE018B90

Non-executed Functions

Function 065A7760 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$jq, xrefs: 065A7885
$jq, xrefs: 065A7C42
$jq, xrefs: 065A7879
$jq, xrefs: 065A7C36
$jq, xrefs: 065A78B6
$jq, xrefs: 065A7CE1
$jq, xrefs: 065A7CD5
$jq, xrefs: 065A7CF7
$jq, xrefs: 065A7CEB
$jq, xrefs: 065A78AA

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3810553869
Opcode ID: aa328c6923a2c2520b99237a274ac6fa90f877d336c9e56c82e406670f0b09b7
Instruction ID: b9df97cc8812419b2bca75556a0ed234065b93bf20f76549daac0d2c01fc502e
Opcode Fuzzy Hash: aa328c6923a2c2520b99237a274ac6fa90f877d336c9e56c82e406670f0b09b7
Instruction Fuzzy Hash: 5E123B34E007198FDB68DF65C954AAEB7B6FF88300F2085A9D40AAB364DB359D45CF90

Function 065AAD90 Relevance: 10.3, Strings: 8, Instructions: 317COMMON

Download Yara Rule

Strings

$jq, xrefs: 065AAF68
$jq, xrefs: 065AAF04
$jq, xrefs: 065AAF5C
$jq, xrefs: 065AAEBD
$jq, xrefs: 065AAEB1
$jq, xrefs: 065AAF10
$jq, xrefs: 065AAF3F
$jq, xrefs: 065AAF33

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-666546452
Opcode ID: ef7fd54107d9dc9b0acbf2f25cbdcee221dc97d3a0ae4424b276c96856faebac
Instruction ID: e944de54807cea17341858b34e14dce87cd1f153cc98915bcc777098979ff189
Opcode Fuzzy Hash: ef7fd54107d9dc9b0acbf2f25cbdcee221dc97d3a0ae4424b276c96856faebac
Instruction Fuzzy Hash: 40C15C30A103068FDB59EF65D9906AEB7B6FF89300F24896DD815AB358DB34DC46CB90

Function 065AA9F8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$jq, xrefs: 065AABB6
$jq, xrefs: 065AAB49
$jq, xrefs: 065AAAEE
$jq, xrefs: 065AAAFA
$jq, xrefs: 065AAB80
$jq, xrefs: 065AAB74
$jq, xrefs: 065AAB55
$jq, xrefs: 065AABAA

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-666546452
Opcode ID: b57a8441eb7f812e4afc64c520d8b609918a6adf8024f94a44aeb418eb0c0025
Instruction ID: fe99825ca32959c647956d8b4d2fe8671136014dc70eb3b2f910432cddc94b22
Opcode Fuzzy Hash: b57a8441eb7f812e4afc64c520d8b609918a6adf8024f94a44aeb418eb0c0025
Instruction Fuzzy Hash: FE913F30A403099FEB68DF64D954BAEBBF6FF84301F148529E806A7294DB749D45CF90

Function 065A7160 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$jq, xrefs: 065A7674
$jq, xrefs: 065A74A8
$jq, xrefs: 065A7442
$jq, xrefs: 065A749C
$jq, xrefs: 065A7668
$jq, xrefs: 065A75FC

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3356825164
Opcode ID: 7ef98fff5a3927578feabf316349ce961a0ad2b21cf24de788d9cfa6d987eb9a
Instruction ID: 2c31e622100815e07b524165e469e55d32e066ecc8ce51681259e42e596fac28
Opcode Fuzzy Hash: 7ef98fff5a3927578feabf316349ce961a0ad2b21cf24de788d9cfa6d987eb9a
Instruction Fuzzy Hash: 2EF14E34A01208CFDB59EFA5D550A6EBBB7FF88300F248569D4069B369DB35AC42CF84

Function 065A8498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$jq, xrefs: 065A86FE
$jq, xrefs: 065A86F2
$jq, xrefs: 065A8757
$jq, xrefs: 065A8763

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 7b91a7bcb565a32a1d28b595c9dcb967437e2d588f84e2f230fb91864d62afae
Instruction ID: e86fc69dff477c769ddec421eff8bbc8ac989d0553c089192deb4d3d8d06b821
Opcode Fuzzy Hash: 7b91a7bcb565a32a1d28b595c9dcb967437e2d588f84e2f230fb91864d62afae
Instruction Fuzzy Hash: 57B12D30E112198FDB58EF64D5906AEBBB6FF84310F248869D4069B3A5DF75DC86CB80

Function 065A88B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRjq, xrefs: 065A89F2
LRjq, xrefs: 065A89A3
$jq, xrefs: 065A892F
$jq, xrefs: 065A893B

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: LRjq$LRjq$$jq$$jq
API String ID: 0-2974078839
Opcode ID: ee9e1f49ece87c6f7390d50f3759f20725ae0ba941bbed2972cd1d6673ebfa97
Instruction ID: ca3d84c241584f55a6c2c256fd696624841697cbf6d54cb23c089c0071e77e10
Opcode Fuzzy Hash: ee9e1f49ece87c6f7390d50f3759f20725ae0ba941bbed2972cd1d6673ebfa97
Instruction Fuzzy Hash: 50518030B002019FDB58EF78D990A6E77B6FF89310F1489A9E4159B3A9DB35EC44CB91

Function 065AAD82 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

$jq, xrefs: 065AAF04
$jq, xrefs: 065AAF5C
$jq, xrefs: 065AAEB1
$jq, xrefs: 065AAF33

Memory Dump Source

Source File: 00000003.00000002.4464265884.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_65a0000_Quotation_#432768#_pdf.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 3460e3d530845a4f3de26249461bcb078e08b3096918a62ee458237926e941ee
Instruction ID: 69f416e5c62c804012b086c90be3a88290bc9a3429c646b8f5725b2e872e4cfc
Opcode Fuzzy Hash: 3460e3d530845a4f3de26249461bcb078e08b3096918a62ee458237926e941ee
Instruction Fuzzy Hash: C9519E34A113059FDF69EB64E580AAEB3B6FB89310F14896ED806AB354DB35DC41CF90

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation_#432768#_pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation_#432768#_pdf.scr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Quotation_#432768#_pdf.scr.exe

Function 05486C50 Relevance: 8.5, Strings: 6, Instructions: 1042
COMMON

Function 010CCFD0 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Function 010CCFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 010CAD48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 010C590C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 010C44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 010CD629 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 010CD630 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 072B1F48 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 010CA0D0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 010CB1B9 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 065A3130 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre