Edit tour

Windows Analysis Report
rQuotation.exe

Overview

General Information

Sample name:	rQuotation.exe
Analysis ID:	1465511
MD5:	19c0bb3b7e9c41e5d47b78566e04d3de
SHA1:	ee19431fbe432dc27074a776c8d3cd1ee3f5f708
SHA256:	a60e8f372f54d47394a2091f56649707f1a0fffadb0afc3600f8ec103ff53d6e
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rQuotation.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\rQuotation.exe" MD5: 19C0BB3B7E9C41E5D47B78566E04D3DE)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7032 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 6188 cmdline: C:\Windows\system32\WerFault.exe -u -p 6476 -s 1120 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "terminal4.veeblehosting.com", "Username": "obimoney@xjyllc.com", "Password": "Ifeanyi1987@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2873010607.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2873010607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rQuotation.exe PID: 6476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rQuotation.exe PID: 6476	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rQuotation.exe PID: 6476	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rQuotation.exe PID: 6476	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 7032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7032	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rQuotation.exe.191205183b0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rQuotation.exe.191205183b0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rQuotation.exe.191205183b0.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3244d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x324bf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32549:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x325db:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32645:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x326b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3274d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x327dd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rQuotation.exe.19120553df8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rQuotation.exe.19120553df8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rQuotation.exe.19120553df8.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3244d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x324bf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32549:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x325db:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32645:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x326b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3274d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x327dd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rQuotation.exe.19120553df8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rQuotation.exe.19120553df8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rQuotation.exe.19120553df8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rQuotation.exe.19120553df8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3424d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x342bf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34349:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x343db:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34445:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x344b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3454d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x345dd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3424d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x342bf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34349:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x343db:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34445:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x344b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3454d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x345dd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rQuotation.exe.191205183b0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rQuotation.exe.191205183b0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rQuotation.exe.191205183b0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rQuotation.exe.191205183b0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3424d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fc95:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x342bf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fd07:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34349:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fd91:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x343db:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fe23:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34445:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fe8d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x344b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6feff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3454d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ff95:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x345dd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x70025:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 13 entries

Sigma Signatures

Networking

Sigma detected: RegAsm connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 108.170.55.203, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7032, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "terminal4.veeblehosting.com", "Username": "obimoney@xjyllc.com", "Password": "Ifeanyi1987@"}

Multi AV Scanner detection for submitted file

Source: rQuotation.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rQuotation.exe PID: 6476, type: MEMORYSTR

Source: rQuotation.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb/ source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.pdbp^y source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERFF7.tmp.dmp.7.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.rQuotation.exe.19120553df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 108.170.55.203:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 108.170.55.203 108.170.55.203

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SSASN2US SSASN2US

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 108.170.55.203:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: terminal4.veeblehosting.com

Source: RegAsm.exe, 00000003.00000002.2873010607.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: rQuotation.exe, 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0&
Source: RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2877653014.0000000006370000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000003.00000002.2873010607.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://terminal4.veeblehosting.com
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871882555.0000000001240000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2877653014.0000000006377000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871882555.0000000001240000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2877653014.0000000006377000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: rQuotation.exe, 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, SKTzxzsJw.cs	.Net Code: WnSI7AqB
Source: 0.2.rQuotation.exe.19120553df8.1.raw.unpack, SKTzxzsJw.cs	.Net Code: WnSI7AqB

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rQuotation.exe.191205183b0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rQuotation.exe.19120553df8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rQuotation.exe.19120553df8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rQuotation.exe

Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B89CB84	0_2_00007FFD9B89CB84
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B89AB20	0_2_00007FFD9B89AB20
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B8A0359	0_2_00007FFD9B8A0359
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B89D349	0_2_00007FFD9B89D349
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B895D85	0_2_00007FFD9B895D85
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B8914ED	0_2_00007FFD9B8914ED
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B890508	0_2_00007FFD9B890508
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B970050	0_2_00007FFD9B970050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D84AC0	3_2_02D84AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D83EA8	3_2_02D83EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D8EDE0	3_2_02D8EDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D8AD10	3_2_02D8AD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D841F0	3_2_02D841F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0679C480	3_2_0679C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0679AE5C	3_2_0679AE5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06815680	3_2_06815680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06816698	3_2_06816698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06812428	3_2_06812428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0681B2D8	3_2_0681B2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06817E20	3_2_06817E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06817740	3_2_06817740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0681E448	3_2_0681E448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06810040	3_2_06810040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06815D98	3_2_06815D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06810007	3_2_06810007

Source: C:\Users\user\Desktop\rQuotation.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6476 -s 1120

Source: rQuotation.exe

Static PE information: No import functions for PE file found

Source: rQuotation.exe, 00000000.00000000.1628351170.000001910E582000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUzufiterexoci2 vs rQuotation.exe
Source: rQuotation.exe, 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5ffba3ae-11a9-4054-a8dd-57e8bc621827.exe@ vs rQuotation.exe
Source: rQuotation.exe	Binary or memory string: OriginalFilenameUzufiterexoci2 vs rQuotation.exe

Source: 0.2.rQuotation.exe.191205183b0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rQuotation.exe.19120553df8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rQuotation.exe.19120553df8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@7/5@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6476

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d4749ba5-1e48-4ebf-8b28-6926bb25339b

Jump to behavior

Source: rQuotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rQuotation.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rQuotation.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\rQuotation.exe

File read: C:\Users\user\Desktop\rQuotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rQuotation.exe "C:\Users\user\Desktop\rQuotation.exe"
Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6476 -s 1120
Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rQuotation.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rQuotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rQuotation.exe

Static file information: File size 1876079 > 1048576

Source: rQuotation.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: rQuotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb/ source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.pdbp^y source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERFF7.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERFF7.tmp.dmp.7.dr

Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B8A5880 push edx; retf	0_2_00007FFD9B8A59DB
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B89C42A pushad ; retf	0_2_00007FFD9B89C449
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B8994A8 pushad ; retf 5F4Eh	0_2_00007FFD9B89B4FD
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00007FFD9B970050 push esp; retf 4810h	0_2_00007FFD9B970312

Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: rQuotation.exe PID: 6476, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: rQuotation.exe, 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\rQuotation.exe	Memory allocated: 1910E8B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Memory allocated: 19128270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4EA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1203			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3865			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5740	Thread sleep count: 1203 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5740	Thread sleep count: 3865 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99420s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -97572s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -97232s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97572	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97232	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000003.00000002.2877653014.0000000006377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: RegAsm.exe, 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: RegAsm.exe, 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: rQuotation.exe, 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02D870A0 CheckRemoteDebuggerPresent,

3_2_02D870A0

Source: C:\Users\user\Desktop\rQuotation.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: rQuotation.exe, -------.cs	Reference to suspicious API methods: GetProcAddress(_0EBE_EEF9_EE7E_061C_EE8F_06DE, _EE1B_EE1E_EE20_EEBD_0657_EEBD_EEBE_065C)
Source: rQuotation.exe, -------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)_0607_EEE8_EE71_064C_EE22_EE04_EE00_EE29_EE61_EC87.Length, 64u, out var _0E73_ECBE_EC95_EED2_EEF9)
Source: rQuotation.exe, -------.cs	Reference to suspicious API methods: LoadLibrary(_08FB_EEB3_EC9A_EE6E_EE01_EED9_EC8E_EEF1_065E_0606_EE38_EE23_ECB1_EE7E_EC89_EC76_ECB7_0E6A_EECF(_EEA7_EED4_EE72._EEF7_0654_0E66_EEE9_EEF2_06E0_0606_EE98_06D8_EC87_EEEA_08EC))
Source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, zOS.cs	Reference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rQuotation.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rQuotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FB3008	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Users\user\Desktop\rQuotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rQuotation.exe.191205183b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.19120553df8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.19120553df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2873010607.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2873010607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rQuotation.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.rQuotation.exe.191205183b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.19120553df8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.19120553df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rQuotation.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rQuotation.exe.191205183b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.19120553df8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.19120553df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.191205183b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2873010607.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2873010607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rQuotation.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	1 Credentials in Registry	541 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	261 Virtualization/Sandbox Evasion	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rQuotation.exe	18%	ReversingLabs

Source	Detection	Scanner	Label
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://terminal4.veeblehosting.com	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0&	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown
terminal4.veeblehosting.com	108.170.55.203	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://terminal4.veeblehosting.com	RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	rQuotation.exe, 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871882555.0000000001240000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2877653014.0000000006377000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2871882555.0000000001240000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2877653014.0000000006377000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegAsm.exe, 00000003.00000002.2873010607.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.o.lencr.org0	RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2877653014.0000000006370000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.2873010607.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	rQuotation.exe, 00000000.00000002.1794857203.0000019129B62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.i.lencr.org/0&	RegAsm.exe, 00000003.00000002.2872288588.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2873010607.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
108.170.55.203	terminal4.veeblehosting.com	United States		20454	SSASN2US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465511
Start date and time:	2024-07-01 18:42:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rQuotation.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@7/5@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 80 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: rQuotation.exe

Simulations

Behavior and APIs

Time	Type	Description
12:43:00	API Interceptor	25x Sleep call for process: RegAsm.exe modified
12:43:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	yVtOz1fD5G.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	COTIZACI#U00d3N________________________pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
108.170.55.203	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	y8116vE0F0.exe	Get hash	malicious	AgentTesla	Browse
	INQUIRY.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER No. 4500148605.exe	Get hash	malicious	AgentTesla	Browse
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse
	RFQ 030-02052024 LB.exe	Get hash	malicious	AgentTesla	Browse
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.FileRepMalware.27177.7318.exe	Get hash	malicious	AgentTesla	Browse
	FW URGENT RFQ-400098211.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
terminal4.veeblehosting.com	Quotation.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.202
	R9eF05c3nd.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.202
	y8116vE0F0.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	INQUIRY.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	PURCHASE ORDER No. 4500148605.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	RFQ 030-02052024 LB.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	rQUOTATION.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.202
ip-api.com	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	yVtOz1fD5G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	COTIZACI#U00d3N________________________pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	yVtOz1fD5G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	COTIZACI#U00d3N________________________pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
SSASN2US	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	209.188.14.135
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.202
	ORDER060424.exe	Get hash	malicious	AgentTesla	Browse	184.95.55.27
	R9eF05c3nd.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.202
	y8116vE0F0.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	INQUIRY.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	PURCHASE ORDER No. 4500148605.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse	108.170.55.203
	lgX7lgUL1w.exe	Get hash	malicious	Neoreklami, PureLog Stealer, SmokeLoader	Browse	66.85.156.89

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rQuotation.exe_e4f27283d01878559fa8842b7cf5abf4516a719_5a22651d_971fdfdb-35fe-474f-9556-a675ed73134a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0864548571164316
Encrypted:	false
SSDEEP:	192:f1Uu1A4Ta2l50UnU9aWBe3ZFlnG0/zuiF8Z24lO8QZC:CKA4T1YUnU9amwG2zuiF8Y4lO8Qs
MD5:	590AC8D3DBE0EA4E3E5DB0FC45EF852F
SHA1:	FEBB3587826A4C500D7C23940046CEF4F8AA193B
SHA-256:	A6FDD9F32243617D26D69055A8D32608C0733ED63FACBD0BF29F3572C9AA21EB
SHA-512:	595E0A4933A59C868DC4AFFA16D1289DBA4F5BD8C595E0B6CEF93FF86F366D775E26B46150D0946AB819F56C74423AC2EF9CD97A1FDC9381387A4CB804B7D2BE
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.2.5.7.7.8.9.9.1.3.7.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.2.5.7.7.9.9.2.8.8.8.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.1.f.d.f.d.b.-.3.5.f.e.-.4.7.4.f.-.9.5.5.6.-.a.6.7.5.e.d.7.3.1.3.4.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.b.b.b.c.3.a.-.e.a.8.7.-.4.8.a.9.-.8.c.b.d.-.a.7.6.5.8.b.1.3.5.6.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.Q.u.o.t.a.t.i.o.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.z.u.f.i.t.e.r.e.x.o.c.i.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.c.-.0.0.0.1.-.0.0.1.4.-.a.7.5.2.-.e.b.b.8.d.5.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.1.2.d.b.d.a.c.4.5.c.b.7.8.d.1.1.a.7.2.b.1.8.3.0.0.7.7.3.5.0.0.0.0.0.0.0.0.!.0.0.0.0.e.e.1.9.4.3.1.f.b.e.4.3.2.d.c.2.7.0.7.4.a.7.7.6.c.8.d.3.c.d.1.e.e.3.f.5.f.7.0.8.!.r.Q.u.o.t.a.t.i.o.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12E6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9056
Entropy (8bit):	3.712730037816931
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6Fh36Y9kvMXQgmfhc6Jqrprw89btF/fYvm:R6lXJgh6YevMXQgmf2iut9f9
MD5:	CD2BE64F684FA418B19A30D6C2C42372
SHA1:	66DAD324A5106E222DFAC8E4E7539A7C20F3D173
SHA-256:	3F2BC4BD785497805573539B1CD4141D2E2540932FBB093645F479D3CD67C4B7
SHA-512:	E522D8F23E213402541BCBD4BA4A647C3C2717B87A36E2C0AB9B96D80934A9764B8E984B2C254A56D463977D3338F69E28DD4BF69EB97CC044E1298F40A62B0B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1316.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4766
Entropy (8bit):	4.509984019776081
Encrypted:	false
SSDEEP:	48:cvIwWl8zsoJg771I9FyWpW8VY2Ym8M4JyNAFE+xyq85iewL8Q4d:uIjfuI76T7ViJySxz/L34d
MD5:	A7F6DDA948900FF5577137109A2874E0
SHA1:	1A349CC6A82DFE67444C26AF757F08B7B0836F9D
SHA-256:	0EF568973EFB94CAECCE7E2E97EC7B8D0173CA74A9FEDEB4F972A98837F6C795
SHA-512:	F8DBF51E0FBAE2C61A3DAB88623E1CB7BC99D72A8AA82471FACAA4F9682BAB1DDF76C50F7167E4EE8783094F9FD9C57C5874D31EA2A33FECB137F0165FB7CDEF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392145" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF7.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Jul 1 16:42:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	475578
Entropy (8bit):	3.358458680323315
Encrypted:	false
SSDEEP:	3072:nq7nJwnXAz+yXx4WgcS59GbybN1CCq8FX3+vP8ZpUVT:ngJwyBGabiqI3Q0pU
MD5:	49E6B2F32E88FD8313E906A2C965346D
SHA1:	1EDBE563281B12AA4167717DF149ACBE2BFA6577
SHA-256:	E9846A120F860F04ECEC88F1625093F29A9F5B6F049B3CF3E6812F6F83D74F9C
SHA-512:	A364F979B4D1EB98A033BE936B040CCCF0F77B162C232A4591C42D6E6A22BDF5B22ED24F66521270608A49E381D2CC5F2B625FA8F668C2FE5DD5D481FEFC64BC
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........f............D...............d.......$...X...........\|........U..............l.......8...........T............,..............H=..........4?..............................................................................eJ.......?......Lw......................T.......L.....f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466036028196891
Encrypted:	false
SSDEEP:	6144:MIXfpi67eLPU9skLmb0b4FWSPKaJG8nAgejZMMhA2gX4WABl0uNYdwBCswSbt:xXD94FWlLZMM6YFH++t
MD5:	D1EF3C4149C81E8A234959367E90EA8F
SHA1:	1AD58F832F698D548EFF041B25188A912D116D7F
SHA-256:	0D6CDA027FC3F8AF05B5C1951D286CBA5FEB406459ED122D2DC6A51202A41250
SHA-512:	5F4F30A488258E00FEB271821357E1C80AF524F2DED57148366A6E7A94475932C01616C4085ABF414F076C2BEF59BAA3DF268A1C740D1BD49066A4E9883548BE
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.]..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.3677918797110635
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	rQuotation.exe
File size:	1'876'079 bytes
MD5:	19c0bb3b7e9c41e5d47b78566e04d3de
SHA1:	ee19431fbe432dc27074a776c8d3cd1ee3f5f708
SHA256:	a60e8f372f54d47394a2091f56649707f1a0fffadb0afc3600f8ec103ff53d6e
SHA512:	f93084699839ea5da8ad449490bc73ac0694f5a858b367ba25a1aa82f4900caa6b292d9ff8d1d8768ae3f9705e628446b3497168e4b06a129fc3862fa47b93cc
SSDEEP:	12288:iXTOt5ewyLVvhjH838znIkxg0B2jdtH+Ti1TDRckULP6pE+cz:iyefLdhjc38jIQg0B2ZHRnULi0
TLSH:	18951121BA67AE53FE9B1676E0D537F405FE8C8371F199AFEF809C99088227C051507A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.................. ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6682ACAB [Mon Jul 1 13:18:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0xa94	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb4e6	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9582	0x9600	95fd203eadc825097529d8207a753e3c	False	0.5885416666666666	data	6.453857954300438	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0xa94	0xc00	445b34a52ef3a8a8370ae3be463d6532	False	0.275390625	data	4.387705158987614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0b8	0x3f8	data			0.484251968503937
RT_VERSION	0xc4b0	0x3f8	data	English	United States	0.484251968503937
RT_MANIFEST	0xc8a8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 18:42:59.938405991 CEST	49733	80	192.168.2.4	208.95.112.1
Jul 1, 2024 18:42:59.943552017 CEST	80	49733	208.95.112.1	192.168.2.4
Jul 1, 2024 18:42:59.943659067 CEST	49733	80	192.168.2.4	208.95.112.1
Jul 1, 2024 18:42:59.944499969 CEST	49733	80	192.168.2.4	208.95.112.1
Jul 1, 2024 18:42:59.949774981 CEST	80	49733	208.95.112.1	192.168.2.4
Jul 1, 2024 18:43:00.412911892 CEST	80	49733	208.95.112.1	192.168.2.4
Jul 1, 2024 18:43:00.465950012 CEST	49733	80	192.168.2.4	208.95.112.1
Jul 1, 2024 18:43:01.272777081 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:01.278364897 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:01.278460026 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:01.831456900 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:01.831615925 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:01.836751938 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:01.986022949 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:01.991200924 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:01.997502089 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.145862103 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.152112961 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:02.156975031 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.317781925 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.317878962 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.317889929 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.317930937 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:02.318805933 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.318882942 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:02.355576038 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:02.360408068 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.509190083 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.524990082 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:02.529696941 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.678913116 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.700902939 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:02.705904961 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.855238914 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:02.856137037 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:02.860960007 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.167504072 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.167727947 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:03.172538996 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.319950104 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.320111036 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:03.324934006 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.603168964 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.603347063 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:03.610462904 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.767673016 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.768328905 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:03.768408060 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:03.768429041 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:03.768451929 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:03.773746967 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.773821115 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.773905039 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:03.773915052 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:04.081171989 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:43:04.122184992 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:43:51.263151884 CEST	49733	80	192.168.2.4	208.95.112.1
Jul 1, 2024 18:43:51.271199942 CEST	80	49733	208.95.112.1	192.168.2.4
Jul 1, 2024 18:43:51.271290064 CEST	49733	80	192.168.2.4	208.95.112.1
Jul 1, 2024 18:44:41.278992891 CEST	49736	587	192.168.2.4	108.170.55.203
Jul 1, 2024 18:44:41.444897890 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:44:41.595026016 CEST	587	49736	108.170.55.203	192.168.2.4
Jul 1, 2024 18:44:41.598539114 CEST	49736	587	192.168.2.4	108.170.55.203

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 18:42:59.896805048 CEST	56677	53	192.168.2.4	1.1.1.1
Jul 1, 2024 18:42:59.904280901 CEST	53	56677	1.1.1.1	192.168.2.4
Jul 1, 2024 18:43:01.259967089 CEST	55895	53	192.168.2.4	1.1.1.1
Jul 1, 2024 18:43:01.272191048 CEST	53	55895	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 18:42:59.896805048 CEST	192.168.2.4	1.1.1.1	0x852	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 18:43:01.259967089 CEST	192.168.2.4	1.1.1.1	0x55a0	Standard query (0)	terminal4.veeblehosting.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 18:42:59.904280901 CEST	1.1.1.1	192.168.2.4	0x852	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 1, 2024 18:43:01.272191048 CEST	1.1.1.1	192.168.2.4	0x55a0	No error (0)	terminal4.veeblehosting.com	108.170.55.203	A (IP address)	IN (0x0001)	false
Jul 1, 2024 18:43:01.272191048 CEST	1.1.1.1	192.168.2.4	0x55a0	No error (0)	terminal4.veeblehosting.com	108.170.55.202	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	208.95.112.1	80	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 18:42:59.944499969 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 1, 2024 18:43:00.412911892 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 16:43:00 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 1, 2024 18:43:01.831456900 CEST	587	49736	108.170.55.203	192.168.2.4	220-terminal4.veeblehosting.com ESMTP Exim 4.97.1 #2 Mon, 01 Jul 2024 09:43:01 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 1, 2024 18:43:01.831615925 CEST	49736	587	192.168.2.4	108.170.55.203	EHLO 965543
Jul 1, 2024 18:43:01.986022949 CEST	587	49736	108.170.55.203	192.168.2.4	250-terminal4.veeblehosting.com Hello 965543 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 1, 2024 18:43:01.991200924 CEST	49736	587	192.168.2.4	108.170.55.203	STARTTLS
Jul 1, 2024 18:43:02.145862103 CEST	587	49736	108.170.55.203	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	12:42:55
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\rQuotation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rQuotation.exe"
Imagebase:	0x1910e580000
File size:	1'876'079 bytes
MD5 hash:	19C0BB3B7E9C41E5D47B78566E04D3DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1792962996.00000191105E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1793385325.000001912044B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:42:55
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:42:58
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xd10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2873010607.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2873010607.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2873010607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2871449833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:42:58
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0x100000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:42:58
Start date:	01/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6476 -s 1120
Imagebase:	0x7ff6e1ed0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8A0359 Relevance: 4.1, Strings: 2, Instructions: 1643COMMON

Download Yara Rule

Strings

x6' , xrefs: 00007FFD9B8A1019
x6' , xrefs: 00007FFD9B8A1129

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID:
String ID: x6' $x6'
API String ID: 0-3101763461
Opcode ID: df5d4f2b8fac109685e95dc133689bc215c705aa00c52442a84a700472390ead
Instruction ID: 7e5fcce5f3c099a6f232f9e2b6edabd36cac5024022efd9d0db0e5b27824d256
Opcode Fuzzy Hash: df5d4f2b8fac109685e95dc133689bc215c705aa00c52442a84a700472390ead
Instruction Fuzzy Hash: BDB27B3071DB4A4FD769DB28C4A14B5B7E2FF89301B0446BED48AC72A6DE34E946C781

Function 00007FFD9B970050 Relevance: 3.5, Strings: 1, Instructions: 2260COMMON

Download Yara Rule

Strings

87' , xrefs: 00007FFD9B971183

Memory Dump Source

Source File: 00000000.00000002.1796675546.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_rQuotation.jbxd

Similarity

API ID:
String ID: 87'
API String ID: 0-3562303210
Opcode ID: 93394df336d59875baac7137924dd2855474bd93791eeee351eadc028027618f
Instruction ID: 07674f9a76eb31e171882a4354f418e25f82e908274b93809fc58aaa6565caf8
Opcode Fuzzy Hash: 93394df336d59875baac7137924dd2855474bd93791eeee351eadc028027618f
Instruction Fuzzy Hash: 33E27F71A1E7CA5FDB66DB6888A55A47FE0FF56700F0901FED089CB1A3DA286906C341

Function 00007FFD9B89AB20 Relevance: 2.2, Strings: 1, Instructions: 931
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=M_H, xrefs: 00007FFD9B89E8C4

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID:
String ID: =M_H
API String ID: 0-509831626
Opcode ID: 7dac87b4f28c2080341fce674063d34d9046706bef8eaf95a5e72f384dbdeedb
Instruction ID: d615ad4a06aa03404073b0f962c0c2519f8cab0db15ed471538b15ad04ec5afa
Opcode Fuzzy Hash: 7dac87b4f28c2080341fce674063d34d9046706bef8eaf95a5e72f384dbdeedb
Instruction Fuzzy Hash: 1C520830B09A0D8FDF68DB68C465A797BE1FF59301B1501BEE08EC76A2DE24ED468741

Function 00007FFD9B89CB84 Relevance: 2.0, Strings: 1, Instructions: 746
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

mM_H, xrefs: 00007FFD9B89D08D

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID:
String ID: mM_H
API String ID: 0-3580782184
Opcode ID: baa663e34bfd6a98505bf7c1a3ade60b795168aae9739bf36d422811576e69a6
Instruction ID: 2a6120256f988fff1b04770a66f132977bde0064ee8279896563962cd01e36cf
Opcode Fuzzy Hash: baa663e34bfd6a98505bf7c1a3ade60b795168aae9739bf36d422811576e69a6
Instruction Fuzzy Hash: 3C32AD3170DB4E4FEB69DB6884640757BD1FF99300B0545BED08AC32B2DE25E942C780

Function 00007FFD9B895D85 Relevance: 1.6, Strings: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9B895DD0

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: c7befa226689ea40cca3d0f6fdcb024dc0492ce1fc5ec40fb31490d2f965d9f7
Instruction ID: 13e16465c0c7f16df0fcb6d1be80c1be566559d6824fb683a62bf808dbc9d037
Opcode Fuzzy Hash: c7befa226689ea40cca3d0f6fdcb024dc0492ce1fc5ec40fb31490d2f965d9f7
Instruction Fuzzy Hash: 1A911B31B1DB4D0FEB6CEB6898654B977E1FF99310B01017EE49BC32A6ED24E9424681

Function 00007FFD9B8914ED Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283a31ef377dbf4da49987eeb832b315fb101071e8ca6af3c281ffa564d441aa
Instruction ID: fbb3e7891a25950791cb9eb3afc908edc4f38d4400ef6d9a3f5f61ed7c1c967d
Opcode Fuzzy Hash: 283a31ef377dbf4da49987eeb832b315fb101071e8ca6af3c281ffa564d441aa
Instruction Fuzzy Hash: 37122431A1DB894FDBADDB2888256B67BE1FF99310F1504BFD08AC71A2DE24D506C741

Function 00007FFD9B89D349 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6817a23d925f899ee0efdf254f88168b15ae89e53ac7f25fcb4482e37b7f95b0
Instruction ID: d1ced31fee3478e6cdb1685a24a980367369a3c077896829296890f5149fabe4
Opcode Fuzzy Hash: 6817a23d925f899ee0efdf254f88168b15ae89e53ac7f25fcb4482e37b7f95b0
Instruction Fuzzy Hash: F7E18C3160DB8A4FE72DCB2484A1171BBD2FF95301B1546BED4DAC72B2DE28B546C781

Function 00007FFD9B890508 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f2e5ccfcea830ceed61046ab019ed5e8f768afcc629e066f98c516d0b921d2
Instruction ID: 2e9b020b4ce6c67b9df426ba0ec373330d55c2b59943268605d97986455e6501
Opcode Fuzzy Hash: 47f2e5ccfcea830ceed61046ab019ed5e8f768afcc629e066f98c516d0b921d2
Instruction Fuzzy Hash: 0A91E430B1C90E4BEB6CEBAC94657B976D2EF9C344F524079E41EC72E6DE28AD424241

Function 00007FFD9B89497A Relevance: 1.6, APIs: 1, Instructions: 139
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B894A51

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 752037b8724faa5c9fdcaaeefd4060040c4f18b5c7224b0454c842a0a9409e42
Instruction ID: 64ff85e236b25f5085c3009cbc2bd500aa2244c439abe6a9f54a75056127bc13
Opcode Fuzzy Hash: 752037b8724faa5c9fdcaaeefd4060040c4f18b5c7224b0454c842a0a9409e42
Instruction Fuzzy Hash: 7041393090DB884FDB19DBA898566E87FF0EF56321F0802AFD059C31A3CF646856C792

Function 00007FFD9B890DA5 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFD9B890E3F

Memory Dump Source

Source File: 00000000.00000002.1796381434.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_rQuotation.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: aa02b2342981ec1c26a4d1d6bee88279dc2cbb56951b83e6efd9e4ca9ec11964
Instruction ID: 4ec3be754adfd4cabb180a257af3309bd609620906785272934344e1c6877487
Opcode Fuzzy Hash: aa02b2342981ec1c26a4d1d6bee88279dc2cbb56951b83e6efd9e4ca9ec11964
Instruction Fuzzy Hash: 9C31B33050D7488FDB19DFA8C849BE9BBF0EF56320F0442AFD089C7562D768A84ACB51

Function 00007FFD9B9710F2 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

87' , xrefs: 00007FFD9B971183

Memory Dump Source

Source File: 00000000.00000002.1796675546.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_rQuotation.jbxd

Similarity

API ID:
String ID: 87'
API String ID: 0-3562303210
Opcode ID: 2711b9306a28f495c644885e29dc572dee81a6583cb196e7e402ff2574bef2fd
Instruction ID: 880550af5d7db8ac4e605cb632823c9da0cf5fdae7bdd0991077cfb7e916b5dc
Opcode Fuzzy Hash: 2711b9306a28f495c644885e29dc572dee81a6583cb196e7e402ff2574bef2fd
Instruction Fuzzy Hash: 14713831A1DB8E5FDB6ADB6888A55A87BF0FF55304B0601FBD04EC71A3DE28A905C341

Function 00007FFD9B9709FC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796675546.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d4653ec269509a540df8d4009fb95ab98fd4920d4d4dc5c68d09703fd411d7
Instruction ID: 776b30e219656134a6d8f5d86ecdc5e762961893c763bc330e1fb9eb66eb5e44
Opcode Fuzzy Hash: 93d4653ec269509a540df8d4009fb95ab98fd4920d4d4dc5c68d09703fd411d7
Instruction Fuzzy Hash: 63E0E535A0562D8ADF64EB48D891BE9B3B1EF98300F0041E6D55EA3291CB346A84CF52

Analysis Process: RegAsm.exePID: 7032, Parent PID: 6476COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	139
Total number of Limit Nodes:	20

Executed Functions

Function 06812428 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

$^q, xrefs: 06813884
$^q, xrefs: 0681386C
$^q, xrefs: 06813837
$^q, xrefs: 06813890
$^q, xrefs: 06813860
$^q, xrefs: 06813843

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: d92ed543eb6de89a99914fda1d5c5f232d453561ce8eca0c031e8145789046d9
Instruction ID: b9a143254c49b364079118ac72ecd5950a18f2b52699ac0bea36d9c62d58f7d3
Opcode Fuzzy Hash: d92ed543eb6de89a99914fda1d5c5f232d453561ce8eca0c031e8145789046d9
Instruction Fuzzy Hash: 2CD25730E00209CFCB64DB68C594AADB7B6FF89314F5485A9D509EB365EB30ED85CB80

Function 0681B2D8 Relevance: 8.3, Strings: 6, Instructions: 772COMMON

Download Yara Rule

Strings

$^q, xrefs: 0681BC55
$^q, xrefs: 0681BC49
$^q, xrefs: 0681BCB1
$^q, xrefs: 0681BC7D
$^q, xrefs: 0681BCBD
$^q, xrefs: 0681BC89

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: e850ed101d04833ff0687e02d735f2089618b099557afb399412dd4eb5a1887c
Instruction ID: 0647a5ffe13054e7ca5e161a1f95731341664fd9f7041a0f9d0cbc78af7a7c29
Opcode Fuzzy Hash: e850ed101d04833ff0687e02d735f2089618b099557afb399412dd4eb5a1887c
Instruction Fuzzy Hash: 2C527030E002098FDF64DB68D5907AEB7BAFB85310F24892AD509EF355DA35DC86CB91

Function 06817E20 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0681838C
$^q, xrefs: 06818398

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: c530fe195564dad9739e67665d8e83005d4da0704727d7289b0ef0ab3d1ac9b1
Instruction ID: 998ac5fb0605d7124e783ac129ad693610b0ec847c3a0bd7b4216821d6673990
Opcode Fuzzy Hash: c530fe195564dad9739e67665d8e83005d4da0704727d7289b0ef0ab3d1ac9b1
Instruction Fuzzy Hash: B902CE30B002098FDB54DF68D991AAEB7E6FF84304F148569D91ADB394DB31EC86CB81

Function 02D870A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02D87117

Memory Dump Source

Source File: 00000003.00000002.2872922931.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d80000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 80088b0c379cde86b97673457dcf82f98b539d9a4b72c3774f2e4afbf048158c
Instruction ID: 1fc3fc0c09a4b2e85680f110d946a0684b873bbd7e5cb5e193314fc09678e24b
Opcode Fuzzy Hash: 80088b0c379cde86b97673457dcf82f98b539d9a4b72c3774f2e4afbf048158c
Instruction Fuzzy Hash: 742148B2800259CFDB10CF9AD844BEEFBF4AF49324F14846AE454A7350D778A944CF64

Function 06816698 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf066dc3ee7f10d5447e41af3e4420055a6044f42fe82d4f0e319f341830f000
Instruction ID: 153aeb6b0ae7c2be99108be84188a4f28e8e5edede70f3793a68337859e65266
Opcode Fuzzy Hash: bf066dc3ee7f10d5447e41af3e4420055a6044f42fe82d4f0e319f341830f000
Instruction Fuzzy Hash: D562AF30B002088FDB54DB68D994AADB7F6FF88314F148569E556EB354EB31EC86CB90

Function 06815680 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3272f192aa04236fd1e2a5cb059b8d106a62a1ff7b51c2b6a7bf06a3762f3810
Instruction ID: fbb9e26dd13f31c3f3607eba6e652df605f6abd893ed89027c02538b53ec9581
Opcode Fuzzy Hash: 3272f192aa04236fd1e2a5cb059b8d106a62a1ff7b51c2b6a7bf06a3762f3810
Instruction Fuzzy Hash: 5D12F3B1F102059BDB60DB64D89476EBBBAFB85310F14842AD959DF344DB34EC42CB92

Function 0681AD70 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0681AF13
$^q, xrefs: 0681AF48
$^q, xrefs: 0681AF1F
$^q, xrefs: 0681AE91
$^q, xrefs: 0681AE9D
$^q, xrefs: 0681AEE4
$^q, xrefs: 0681AF3C
$^q, xrefs: 0681AEF0

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: be58eaa1120043c20bf1b67a80e8c235dd0d2fabc95379756c655249a874a805
Instruction ID: 0e5f9acbd113f88c9c6a3d579ad4d7f517aa07af1e0d441794f489492fcf10c8
Opcode Fuzzy Hash: be58eaa1120043c20bf1b67a80e8c235dd0d2fabc95379756c655249a874a805
Instruction Fuzzy Hash: 43E16F30E102098FCB69DF69D9906AEB7B6FF88304F108529D51ADF354DB71E84ACB91

Function 06793893 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06793916
GetCurrentThread.KERNEL32 ref: 06793953
GetCurrentProcess.KERNEL32 ref: 06793990
GetCurrentThreadId.KERNEL32 ref: 067939E9

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d568ee5e17326aec9eb522c164f1189678d6ef579824b7466255a32731f15095
Instruction ID: ded3c6f7445cabf16173af140a25d8e6ef697ac63368ffe86f8371d38f1d32a2
Opcode Fuzzy Hash: d568ee5e17326aec9eb522c164f1189678d6ef579824b7466255a32731f15095
Instruction Fuzzy Hash: BF5148B09003098FDB54DFA9D948BEEBBF1EF48314F248469D459A7360DB349984CF66

Function 06793898 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06793916
GetCurrentThread.KERNEL32 ref: 06793953
GetCurrentProcess.KERNEL32 ref: 06793990
GetCurrentThreadId.KERNEL32 ref: 067939E9

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 781293ef60da767a14ec56ec76c9701b0194faa4ed3d583c38e4bda85a8db6a0
Instruction ID: 4c35365ee031ea79b71670bb6c4c1ba437d1875a64957bb7ed421ebbbe9d9ab9
Opcode Fuzzy Hash: 781293ef60da767a14ec56ec76c9701b0194faa4ed3d583c38e4bda85a8db6a0
Instruction Fuzzy Hash: 855159B09003098FDB54DFA9D948BEEBBF1EF48314F248429D419A7350DB349984CF66

Function 068191F8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0681923F
$^q, xrefs: 0681924B
$^q, xrefs: 06819286
$^q, xrefs: 0681927A

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 934530ec96df749b04488703e2fcd2a38071e902f37bfc9e0b74329956fc934e
Instruction ID: 5112fd4180dd6ab4758fa791c852a1fbd1de6f3a22b44f4a745276e3754d32ba
Opcode Fuzzy Hash: 934530ec96df749b04488703e2fcd2a38071e902f37bfc9e0b74329956fc934e
Instruction Fuzzy Hash: 43914E30B0021A9FDF94DB69D9607AEB7F6BB88244F108569C50DEB358EA70DC468B91

Function 0681CFE8 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0681D3F3
$^q, xrefs: 0681D3DF
$^q, xrefs: 0681D3E7

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 7c6f8a17dec2735029a8af905fc7ce8f04939cc44c93563b09902c2d541d5b1f
Instruction ID: 5b4eaeff113ccbe4570d2de68ab5870ee2b5fcb1bcda47d8e8e29df8face84c1
Opcode Fuzzy Hash: 7c6f8a17dec2735029a8af905fc7ce8f04939cc44c93563b09902c2d541d5b1f
Instruction Fuzzy Hash: 58623F30A0061A8FCB55EB69D590A5DB7B2FF84304F248A69D409DF359DB71FC8ACB81

Function 06814C40 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06814D91
\Ocq, xrefs: 06814E1B
fcq, xrefs: 06814C6B

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: ed7f0047baa2804a2ffbfc0e8f5881f29b6e58a00f528fc92682be9ffe46b673
Instruction ID: 7eb4ee0315228af64a94431fb3104a18a825569ca026798cc68a59acc549f10b
Opcode Fuzzy Hash: ed7f0047baa2804a2ffbfc0e8f5881f29b6e58a00f528fc92682be9ffe46b673
Instruction Fuzzy Hash: 5E617D70E002099FDB54EFA8C8547AEBBF6FB88700F20842AD509EB394DE759D058B91

Function 068191E8 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0681923F
$^q, xrefs: 0681927A

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: be46eb64c0a914d6e2b6d8e3809f406cdc3bdcff5e3464ff358718a8ecdb36fa
Instruction ID: 23bfc5eb709be3a4d75ac409873cb9ac3d90db4ec3f1866d590f57c42c1a1a2f
Opcode Fuzzy Hash: be46eb64c0a914d6e2b6d8e3809f406cdc3bdcff5e3464ff358718a8ecdb36fa
Instruction Fuzzy Hash: 17517330B002099FDF94DB78D9A0BAE77FABBC8654F108569C519DB358DA30DC42CBA5

Function 06814C08 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06814D91
fcq, xrefs: 06814C6B

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 51be1a462e264cf716dd1ab042e92715a7be81a096ca660feea841c0510693b8
Instruction ID: 2262c2d8ba5dc7038adbc7974d490fec3346216d707848c77fc04b34ec253429
Opcode Fuzzy Hash: 51be1a462e264cf716dd1ab042e92715a7be81a096ca660feea841c0510693b8
Instruction Fuzzy Hash: 7951BD70A002188FDB45EFB8C8647AEBBF6FF88700F20852AD505EB395DA718C05CB95

Function 0679BD98 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0679BFFE

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ba7000592973ad28dea2d68fb610afca865fca3a804eb7afcf307db3e72c94e6
Instruction ID: 8573cc0aa98e2e576bee7c11c0222760c7cee4ee85b1309a4c548e8b1d66c45f
Opcode Fuzzy Hash: ba7000592973ad28dea2d68fb610afca865fca3a804eb7afcf307db3e72c94e6
Instruction Fuzzy Hash: 94813570A00B058FDBA4DF2AE44576BBBF5BF88704F00892ED58697A50DB74E845CBA1

Function 0679DF30 Relevance: 1.7, APIs: 1, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80615c445f9af50cc829d6f01840eb593326e5a8fc08b588e1f8d1ec9d2d0cd0
Instruction ID: 28d65700633f944d1fda7e6b4316c657ed598a2345f19a14aa452e51f0fa3fe1
Opcode Fuzzy Hash: 80615c445f9af50cc829d6f01840eb593326e5a8fc08b588e1f8d1ec9d2d0cd0
Instruction Fuzzy Hash: 585113B1C10249AFDF11CF99D980ADEBFB5FF49314F24816AE808AB221D7319845CFA1

Function 02D8F278 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2872922931.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d80000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c12b197ff811c683ab95049b80f93f2aae2490625e1099961fb3885937587b
Instruction ID: 5b8cfbb12e8e6af6079f1992c80886bce6aae2854621f7fce7924df40d07edd9
Opcode Fuzzy Hash: b7c12b197ff811c683ab95049b80f93f2aae2490625e1099961fb3885937587b
Instruction Fuzzy Hash: CA415472D043598FCB04DFB9D8102AEBFF0AF89220F18856AD444E7751DB38A845CBD1

Function 0679DF90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0679E0A2

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 71fb7885c3bf5b9ab66c9e2aab36c2ff6b24093ffab80565bdaa994c30b73432
Instruction ID: f156e52ace4d2443d0b513444fe1018bed7ef2a96a76fbca39ae79a99039718b
Opcode Fuzzy Hash: 71fb7885c3bf5b9ab66c9e2aab36c2ff6b24093ffab80565bdaa994c30b73432
Instruction Fuzzy Hash: 9341BEB1D103099FDF14CF99D984ADEBBF5BF48314F24852AE818AB210DB71A885CF91

Function 02D87098 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02D87117

Memory Dump Source

Source File: 00000003.00000002.2872922931.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d80000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: d1ea80d600909b210b56a703a07a0a19b72db4e38924473058a99f4cde0f1787
Instruction ID: 984d5c72d92b5c999033c230006a9a761bac398b4c22ba8540521519061c1471
Opcode Fuzzy Hash: d1ea80d600909b210b56a703a07a0a19b72db4e38924473058a99f4cde0f1787
Instruction Fuzzy Hash: 7E2139B28002598FDB10CF9AD984BEEFBF4EF49324F14845AE454A7350D778A944CF64

Function 06793AD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06793B67

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 84ced876c954f886032b18fbeed77f67bc2245045463d6352827a9c3d4b9cdf2
Instruction ID: 3f3c038a45b9bc85a22ecd5276db9ca97f2b8159338f114eec40847770745da1
Opcode Fuzzy Hash: 84ced876c954f886032b18fbeed77f67bc2245045463d6352827a9c3d4b9cdf2
Instruction Fuzzy Hash: 0D21E4B5D00258DFDB10CFA9D984AEEBBF4EB48320F14842AE958A7350D374A944CFA5

Function 06793AE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06793B67

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f1938d7d837d171681e1ed37aa643654d35c67ec1755a7237c5668c3d624dd09
Instruction ID: ff9bf1fd8625690a5fbb4b72f42e9b9242fce1421e99922cfee644a17531e572
Opcode Fuzzy Hash: f1938d7d837d171681e1ed37aa643654d35c67ec1755a7237c5668c3d624dd09
Instruction Fuzzy Hash: BE21C2B5900258DFDB10CFAAD984ADEBBF4EB48324F14842AE958A7350D374A944CFA5

Function 0679AFB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0679C079,00000800,00000000,00000000), ref: 0679C26A

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da4a22ff90d1bf58f9629d5b4e564e589d28d8e57e688f6182e91e7b554de1e3
Instruction ID: 659e4ed9c22f8774a23fb28d7bdd8b052104d501a1e68e99cfe1d2558ca88ba1
Opcode Fuzzy Hash: da4a22ff90d1bf58f9629d5b4e564e589d28d8e57e688f6182e91e7b554de1e3
Instruction Fuzzy Hash: 911112B6D003488FDF10CF9AD944AEEFBF4EB48720F14842AE519A7210C375A544CFA5

Function 0679C1F9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0679C079,00000800,00000000,00000000), ref: 0679C26A

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 00b28404818705fe61c484bfcc1e97110dd978cfd2c06e10edb677b914630c5a
Instruction ID: 82543b1294874596aab80aef1d84db47b04d2e718f68f82ae147fd81bd1f0c30
Opcode Fuzzy Hash: 00b28404818705fe61c484bfcc1e97110dd978cfd2c06e10edb677b914630c5a
Instruction Fuzzy Hash: 4C1123B6D003099FDB10CFAAD944AEEFBF4EB88720F14842AE419A7210C375A544CFA5

Function 02D8F349 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,CAC8067A), ref: 02D8F3B7

Memory Dump Source

Source File: 00000003.00000002.2872922931.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d80000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: aa35bf83e58a49579f683ebad85089f9dad8b23f18a667a68b05f1104b0df3b4
Instruction ID: 9fa954dcded651dcbf95e7e6ec90da145e285dc30a43968913d6ae777a19692d
Opcode Fuzzy Hash: aa35bf83e58a49579f683ebad85089f9dad8b23f18a667a68b05f1104b0df3b4
Instruction Fuzzy Hash: 6D111FB6C006699FCB10DFAAC544BDEFBB4AF48324F15816AD818B7740D378A944CFA5

Function 0679BF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0679BFFE

Memory Dump Source

Source File: 00000003.00000002.2878138136.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6790000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c6e54cef0ecd3df97235c6af0cef0f001f3eabb5f2b7b2cad08001402ba9d5f4
Instruction ID: 46793afea1e1d3f0cca54bff99e451d1d5a8a606d2ddd5b020101856c7b39aec
Opcode Fuzzy Hash: c6e54cef0ecd3df97235c6af0cef0f001f3eabb5f2b7b2cad08001402ba9d5f4
Instruction Fuzzy Hash: FD11E0B6C006498FDB10CF9AD844ADEFBF4AF88724F14842AD459A7210D375A545CFA5

Function 0681DB5D Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0681DCB9

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 2944902fcdc7d64636e6a51718b2dad6fae1fd06822e1eae577ce614f410d7b1
Instruction ID: 626469c3e675ea7552c33a85c4f1c3a3faf5b7a8e454f3a9e2010efdddf46847
Opcode Fuzzy Hash: 2944902fcdc7d64636e6a51718b2dad6fae1fd06822e1eae577ce614f410d7b1
Instruction Fuzzy Hash: 30417C70E003099FDF559F65C9447AEBBBABF85340F104A29E906EB350DB75E846CB81

Function 0681DB70 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0681DCB9

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c524887bb30de5189f382c16da1b7da3946dcd2f7afafa1a2b9a0eadcc2ee927
Instruction ID: 0a5b0f62c98852f2d47ec97a974e3dd673abead06402079ee135d4db590f9bc2
Opcode Fuzzy Hash: c524887bb30de5189f382c16da1b7da3946dcd2f7afafa1a2b9a0eadcc2ee927
Instruction Fuzzy Hash: 7F417D70E0020A9FDF55DFA5C5547AEBBB6BF85340F104929D506EB340DBB0E946CB81

Function 0681228D Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

PH^q, xrefs: 068123DB

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: befa24daf80e7d5900614f5dcb54e3de49667af9c7548fefe3e76ea6c0261e25
Instruction ID: 4e59f704d5c5f26d126e34edcb8ec06432b48a5df4daee8a50600b2256db3945
Opcode Fuzzy Hash: befa24daf80e7d5900614f5dcb54e3de49667af9c7548fefe3e76ea6c0261e25
Instruction Fuzzy Hash: 6E31FE31B002058FDB55AB74C86466FBBAAEF89204F104968D406DB394DF79ED86CBE1

Function 068122A0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 068123DB

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 6dbafd67abff96318586c1fea378cfc91e1f38f2a5223d22abc14f29bf315bf1
Instruction ID: 52c32b9d1ebb6d1f3a0834a58a339ee96239e477286789cbd56c0d96a7ee6c56
Opcode Fuzzy Hash: 6dbafd67abff96318586c1fea378cfc91e1f38f2a5223d22abc14f29bf315bf1
Instruction Fuzzy Hash: 1031EF30B002058FCB59AB74D96466FBBABAB88304F204928D406DB394DF75DD86CBE1

Function 06818367 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

$^q, xrefs: 0681838C

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: ebd980c54a224b2edbec63f096ce60b787dcd1fd595b17ff575d6c794b511bc4
Instruction ID: 3f2298781728dc5177cd8f8263369debfa1c928fa58b206ab3d52d3b7e781e27
Opcode Fuzzy Hash: ebd980c54a224b2edbec63f096ce60b787dcd1fd595b17ff575d6c794b511bc4
Instruction Fuzzy Hash: 66F058B5E00228CFDB649A55E9426ACB7BDEB4031AF1C8461CA09EB154D731A987CB90

Function 06814729 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06814735

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: df18a6c8ef2ef8d9684648fc6a67aab4893e2a3335a2d03b573140e3511e872c
Instruction ID: 1853421a04441e83c3850d7b3d1ce49e4475baf6be38a78f33170c00645604c3
Opcode Fuzzy Hash: df18a6c8ef2ef8d9684648fc6a67aab4893e2a3335a2d03b573140e3511e872c
Instruction Fuzzy Hash: 18F0DA70A2011DDBDB54DF94E8597AEBBB6BF84715F20451AE402A7294CB741D45CBC0

Function 0681C230 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cad36ff83c839c85b5776f573917831835e7fefb21059e3a6913deac4813d31
Instruction ID: c5a0d998a25bbea339e50d76cb48d6d800c7cd629a5dfb37cf57431df3542d3a
Opcode Fuzzy Hash: 0cad36ff83c839c85b5776f573917831835e7fefb21059e3a6913deac4813d31
Instruction Fuzzy Hash: 3B329430B402198FDF54DB68D990BAEBBB6FB88314F108529E505EB355DB39EC42CB91

Function 0681B2C8 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4484f15996e550b59e436cf36965783a8758dbab01c7f6ed700737200da2285
Instruction ID: 78f69c48097428bcc812b196a04db3a5518d0c0444fc8499478470955e815917
Opcode Fuzzy Hash: b4484f15996e550b59e436cf36965783a8758dbab01c7f6ed700737200da2285
Instruction Fuzzy Hash: 83B17630F102098FEF64DB6CD5947AE77EAFB89310F248829D509EF395CA25DC868791

Function 06816290 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a63763a31e08c2bcf2957b84f363cb29b1b602c0ff75141c706c4acaaede580
Instruction ID: cae8114119aacfd236d8edc6326245851a48be98cfd028aaca93e9425261ae23
Opcode Fuzzy Hash: 0a63763a31e08c2bcf2957b84f363cb29b1b602c0ff75141c706c4acaaede580
Instruction Fuzzy Hash: 6461E371F001214FCF509A7EC89466FAADBAFC4620B254439D90EDB364EEA5ED4287C2

Function 06814290 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d684dc8867d0ad5a66d8a4427517a0d68ee94186e5732a5240e39c32f996106c
Instruction ID: 8251b85612d9299be419af42f8955f835cabbd620a90a53ddf5590fcd71e9efe
Opcode Fuzzy Hash: d684dc8867d0ad5a66d8a4427517a0d68ee94186e5732a5240e39c32f996106c
Instruction Fuzzy Hash: C3913C30E102198FDF60DF68C890B9DB7B1FF89300F208699D549EB295EB70A985CF91

Function 06813F71 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d822da2d1741ecb814a8e0de86fba97e012591d1118846dceb4cd9866680d94f
Instruction ID: 8275222dbcbeca775e84e5a9946e284de87c608a890c0e741668547a4e6b6c9d
Opcode Fuzzy Hash: d822da2d1741ecb814a8e0de86fba97e012591d1118846dceb4cd9866680d94f
Instruction Fuzzy Hash: 31815F30B002099FDF54DFA9D45476EBBF6AF89304F208429D50AEB394EB75EC868B51

Function 06813F80 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9226cff534340d49c2ac664d11b94f277b67c3f80bbaebbd8a5e65e34ff6345
Instruction ID: f536fb221f10ff208a5078578e42943a9aa62aa2c28a24aea9dd89609c9dcc65
Opcode Fuzzy Hash: c9226cff534340d49c2ac664d11b94f277b67c3f80bbaebbd8a5e65e34ff6345
Instruction Fuzzy Hash: 15815E30B002099FDF44DFA9D45476EBBF6AB89304F208429D50ADB394EF75EC868B51

Function 068142A8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4958724f7776200693d350f4b77c283ea9b53961268a919f3a627eb1078e45
Instruction ID: d29946127d59ef2db3169347ff61cee28d2100b8db17a95d65bc40930f007d5a
Opcode Fuzzy Hash: 9f4958724f7776200693d350f4b77c283ea9b53961268a919f3a627eb1078e45
Instruction Fuzzy Hash: EA913D30E1061A8BDF60DF68C890B9DB7B1FF89304F208599D549EB355EB70AA85CF91

Function 0681EBB9 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc2d63868842df46f6795b7644a76db17fa7053ade8bacd463708b5f9816cdb
Instruction ID: 267b94a1f1bc667bd00fd2a77702c8b7342af364d1915a3bf1adbfdfc2a2e186
Opcode Fuzzy Hash: 0cc2d63868842df46f6795b7644a76db17fa7053ade8bacd463708b5f9816cdb
Instruction Fuzzy Hash: D6713730A006099FCB54DFA9D994AADBBFAFF84300F248529E409EB355DB30ED46CB51

Function 0681EBC8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2097f1c41550a6d277a1cf99bee474e47242e6a1277b7d8c9fc70348202b17
Instruction ID: 6185e9684001cb3b02132cf74c50c6036cfb6541071ad8fe3698f10d20dbd442
Opcode Fuzzy Hash: 6e2097f1c41550a6d277a1cf99bee474e47242e6a1277b7d8c9fc70348202b17
Instruction Fuzzy Hash: D2711930A006099FDB54DFA9D994AAEBBFAFF84300F148529E409EB355DB30ED46CB51

Function 0681FD40 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ae51eb6bfe8fd2de7d6fbba78454dc5f5c51fb5a602549f2e1b56ccdcf0ab6
Instruction ID: 5f080213eb93ebea9d7e893b623eaffb2a2af5e5894cf59091a0c1a2d307d623
Opcode Fuzzy Hash: 40ae51eb6bfe8fd2de7d6fbba78454dc5f5c51fb5a602549f2e1b56ccdcf0ab6
Instruction Fuzzy Hash: A751CF31E001098FDF14AB78E4446ADBBF6FF89315F208969E20ADB250DF319955CB80

Function 0681FAE3 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199da19655f0b2f22270f11cc487a773fd41b61cb0e89fcdab47f813f2cfd6fb
Instruction ID: 5e0dde415c009ae5869a7a176b8f5a0cfea77f2586484ac6e96e91e24fa4f089
Opcode Fuzzy Hash: 199da19655f0b2f22270f11cc487a773fd41b61cb0e89fcdab47f813f2cfd6fb
Instruction Fuzzy Hash: 40512D30B102188FEF64566CD99077F3A9EDBC9310F20053AE60EDB7D9CA29DC459792

Function 0681FAF0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbfa0a2439b44cde683c207e6f385f85bf5e39c820ee2ed7083dc847d29d9f7
Instruction ID: 3e9afa2a2992623014809f053b1d30b1c1e780897d5d30162e6f45bd5b626c88
Opcode Fuzzy Hash: 2cbfa0a2439b44cde683c207e6f385f85bf5e39c820ee2ed7083dc847d29d9f7
Instruction Fuzzy Hash: C251E830B1021C9FEF64666CD99073F369EDBC9310F20093AE60EDB799CA29DC455792

Function 06815500 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3280a8bf43946a25e7e9073123b359876d1dd95b8f4a29317418856a15791f6
Instruction ID: c266dfcb05c9376884a52131c6c1ec0fb34a54fc4f40c3163db5bc7cf32f78ab
Opcode Fuzzy Hash: c3280a8bf43946a25e7e9073123b359876d1dd95b8f4a29317418856a15791f6
Instruction Fuzzy Hash: 7E4141B1E006098FDF70CE99D8C1AAFF7B6FB94310F10492AE256DB650D730E8458B92

Function 06812150 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f620865d241dc8c8b3461a7287e5f26d41e75d578b139c481cb52afa4f3ef7
Instruction ID: f4f90e6c72ed5429cea5d92cfddbdbf1e71d3ff436e046a2bb56c4eb263ad1fc
Opcode Fuzzy Hash: 16f620865d241dc8c8b3461a7287e5f26d41e75d578b139c481cb52afa4f3ef7
Instruction Fuzzy Hash: 28317E31F102099BCB15CFA4D8946AEFBB6BF89300F14C919E916EB340DB70AD86CB40

Function 06812160 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526184897edeb1d53c447ed0f8372c921a4d95464d0bc70dbb5854476a8907f4
Instruction ID: 9eb72bb8fba0689ee2c153599bbf149ce76e153ac772599ecaf8e598c7379242
Opcode Fuzzy Hash: 526184897edeb1d53c447ed0f8372c921a4d95464d0bc70dbb5854476a8907f4
Instruction Fuzzy Hash: C9316F31F102099BCB55CFA5D8946AEFBB6BF89300F10C919E916EB340DB71A986CB40

Function 06813B79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1ee92510c1cc742e155c4e2330b9b14ce027457988b345e1cd9c5263bac29e
Instruction ID: c28bcc665df20c0096b4c88bf395f458508be916ffd11c79e5ebf8f57c88c599
Opcode Fuzzy Hash: ea1ee92510c1cc742e155c4e2330b9b14ce027457988b345e1cd9c5263bac29e
Instruction Fuzzy Hash: 6A219C76E006199FDB40DF78D940AAEBBF5FB88714F1480A9E905EB390E734ED018B91

Function 068154F1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86726b1cfa6633aa3b05ea6992bae91086b26f46e1d988c8f886de1153ac21a
Instruction ID: 2615224b066379376fcb4677abf5006c328632f5ddaab58aa81d92cacb643640
Opcode Fuzzy Hash: a86726b1cfa6633aa3b05ea6992bae91086b26f46e1d988c8f886de1153ac21a
Instruction Fuzzy Hash: 472173B1A007098FCB60CEADC8C15AEFBF6FB94310F104929D15ADB654D730E8498B81

Function 06813B88 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada0be70219204f93d0d45411162e7974a72e0277178acb4f9cdf8db95dfc842
Instruction ID: 51fdc24acc566f4d832726d4e4cdd80e31d28efc78059d9154ab47b5383b29a4
Opcode Fuzzy Hash: ada0be70219204f93d0d45411162e7974a72e0277178acb4f9cdf8db95dfc842
Instruction Fuzzy Hash: 70219C71E016199FDB40EF79D840AAEB7F5FB48710F108065EA05EB390E734ED018B90

Function 0166D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2872561999.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_166d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060cda504a98124fbfa6bc7e2d19b9167a987aa570db4b968c06dce5656c68fe
Instruction ID: ca89f686ca6a293b19f9c7491dc8904b7e671c16457519c29bd110c5c4020f1b
Opcode Fuzzy Hash: 060cda504a98124fbfa6bc7e2d19b9167a987aa570db4b968c06dce5656c68fe
Instruction Fuzzy Hash: 41213471604240DFCB11DF58DEC0B26BBA9EB84314F24C56DD8894B356C33AD447CA62

Function 06816DB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc382716b3488674429e6a0247ed9f73ec864a468477b5e595740b847f259640
Instruction ID: a1a7d630b28fee4e1f285f9336ac54ddffcc6f42fd4df24034a2033b879b851d
Opcode Fuzzy Hash: cc382716b3488674429e6a0247ed9f73ec864a468477b5e595740b847f259640
Instruction Fuzzy Hash: F321A231B101199FDF44DA69E95069EB7BAEB84314F248539D509EB340EB31ED818B85

Function 06813138 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd2dfd9af56818444209fab13acae08d3fcc7a9a04aae056421058f92488a0a
Instruction ID: 0f3b3158a77fdef73caaf98e7facff7c6d99826ba6679432fe065fcb4a6ec343
Opcode Fuzzy Hash: edd2dfd9af56818444209fab13acae08d3fcc7a9a04aae056421058f92488a0a
Instruction Fuzzy Hash: D211D071E002189BCB54DB79D8401EEFBBAEB89310F0085AAE00AEB300DE31D981CB91

Function 0681FD31 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5add58d4bc5e4b7d69c083234ae07b1126218c5fcb9bf469a62d78dd83b54cdb
Instruction ID: 3a8fbc2366776c4b4d0ddb759beb3f5ecf62af8c950f7a6ceb398a9f14470db6
Opcode Fuzzy Hash: 5add58d4bc5e4b7d69c083234ae07b1126218c5fcb9bf469a62d78dd83b54cdb
Instruction Fuzzy Hash: EF014536B101188BDF245A38F8953EEB3AAEBC4325F20053AEA09DB745CE359902C7C1

Function 06813C98 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb07b6ad466462ed20cf11f95d5a0bab9ca8aa291cf0a8614bbf71bcd29cbe7f
Instruction ID: 2c4a402c0566640ae05baeea95ab9f490e7cb7aa6d9f9615d1029a0c835179c8
Opcode Fuzzy Hash: cb07b6ad466462ed20cf11f95d5a0bab9ca8aa291cf0a8614bbf71bcd29cbe7f
Instruction Fuzzy Hash: D111A132B101286FDF549678CC14AAE77EAEBC8654B104039D50AEB344DE74EC068BD1

Function 06813ED0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ac5792bd126ca30a9d309971c80d99f51710cece755c211b4da70d208653a5
Instruction ID: 1a7db60bb9074bc9a2b83c56e4fac74198b5f8a3c12f8059369f776f95cea77a
Opcode Fuzzy Hash: 11ac5792bd126ca30a9d309971c80d99f51710cece755c211b4da70d208653a5
Instruction Fuzzy Hash: 13012435B145114FCB61D67CE86073EABEEDBCA710F18847AE10ECB342D9A6CC028395

Function 0681EE38 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f442884936363a820b21f73581c1c6a80b792d21802187ab3099019bf0d0896
Instruction ID: 5fcc69d403611a3b14912d97b7a0dd9109cd38fd58e0a9bfc04471ad1c826ddb
Opcode Fuzzy Hash: 4f442884936363a820b21f73581c1c6a80b792d21802187ab3099019bf0d0896
Instruction Fuzzy Hash: DA01D475B101114FCF51C57C985973E6BDACBCA624F14882AE50ACB341D925DD038391

Function 06813950 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9265ee49517f5a8aace7e8d19974616d03d080fcb6a67e1ff33dacb5695c80a5
Instruction ID: 4c9670735bbf7643992b4ef185f2199535826d88613638f5f302190d08956e27
Opcode Fuzzy Hash: 9265ee49517f5a8aace7e8d19974616d03d080fcb6a67e1ff33dacb5695c80a5
Instruction Fuzzy Hash: 5821E0B5D01259AFCB00CF9AD985ADEFBB4BB49324F10812AE918A7210C374A944CFA5

Function 0166D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2872561999.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_166d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
Instruction ID: 67279518f71b9865e5f5b1c4b97a5419ca3846eb69a3b172a7d7455e352d56b3
Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
Instruction Fuzzy Hash: 5211BB75604280CFDB12CF58D9C4B15FFA1FB84318F28C6AAD8894B756C33AD44ACB62

Function 0681A3A8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b39330066b5bcc54b38c41d189c7e57d69a35c23eada6fe0592bd0dbab0c19
Instruction ID: d3d439379a3a2c9e0955cc58397af96dfc9c297379f4c6d8c89c5d38057a98ea
Opcode Fuzzy Hash: 26b39330066b5bcc54b38c41d189c7e57d69a35c23eada6fe0592bd0dbab0c19
Instruction Fuzzy Hash: 4F01B175B015104FDBA59678E96572E7BE9EB8A610F10842AE50ADB354ED20EC038391

Function 06813C8B Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4584a3ad0aaa286ba929c5b95236896af2bf93104efcd58f8f58b7a026663237
Instruction ID: 724670e8fa61c8100004dd89a4d06e441d5ac5169bba3b9aba552afee882a74e
Opcode Fuzzy Hash: 4584a3ad0aaa286ba929c5b95236896af2bf93104efcd58f8f58b7a026663237
Instruction Fuzzy Hash: E201F736F100296BDB559678CC147FFB7AE9BC8614F144036C50AEB244EE34DC0687D2

Function 06813958 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0859430052a78ffa893884376d5591982ef2307a201e357ab261a309100713
Instruction ID: 49970d54810931150e4c189e885152a844124dda20e852a580a8a0b6ce1a76f0
Opcode Fuzzy Hash: bb0859430052a78ffa893884376d5591982ef2307a201e357ab261a309100713
Instruction Fuzzy Hash: E711D3B1D012599FCB00CF9AD884ADEFBB4FB49324F10812AE518B7200C374A954CFA5

Function 06813EE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4e41750b0d544212f545d94d331a1009de307f8e501b1b51e33f68c505dd34
Instruction ID: 803f71ad5f8a16465d77a064dc94dc6411e41e35be6fb53b83bf50583231d6f0
Opcode Fuzzy Hash: 3a4e41750b0d544212f545d94d331a1009de307f8e501b1b51e33f68c505dd34
Instruction Fuzzy Hash: 3901AD31B104110BDB64966DE85472EB6EECBC9720F108439F60ECB340EEA5DC024395

Function 0681EE48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1403a40f07f1def0c4e5860bd82b82030f646383c61dc7a8a16bd92a51a5956d
Instruction ID: fb949919ae9a6b77d912ed380b07f3b406cfcc43471b3f0b3a1dbfd3d5890ce9
Opcode Fuzzy Hash: 1403a40f07f1def0c4e5860bd82b82030f646383c61dc7a8a16bd92a51a5956d
Instruction Fuzzy Hash: 6601A431B101155BCB65D57D945873EB7DEDBC9724F14883AEA0ECB340DE21DD024785

Function 0681A3B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b095ad791ba1792448f51a2fc8834ec2e3a86f69078aa67790216ab05bfebe4
Instruction ID: 9a10c4d89af3fd206c01b6b433ea5a9f7318766ec645c19e2966907cdb2a19c3
Opcode Fuzzy Hash: 1b095ad791ba1792448f51a2fc8834ec2e3a86f69078aa67790216ab05bfebe4
Instruction Fuzzy Hash: 45016234B105144BDB64966CE85472EB7D9EB8A714F10843AE50ACB344DD21EC038795

Function 0681C880 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411d95643217c99fce9c14eb45e307b3d27ba41da2e0d6171cedd2c160f452cc
Instruction ID: cd93d8fd3add5b8ebdeeb499e47f55480d07162b997f6e92a0bdb9c824de7fb0
Opcode Fuzzy Hash: 411d95643217c99fce9c14eb45e307b3d27ba41da2e0d6171cedd2c160f452cc
Instruction Fuzzy Hash: 8201A432F502289BCF54AA6AE8816ADB77AE785754F008539EA01EB344DB35A8048B94

Function 06816519 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a308ea62ad423305384a139178c2c724e5fc66a4e744fd27a0d84fcf1a1883
Instruction ID: 7a44a458bc9c627f7bb658512b34e7144fb087426dbd9c0b6a3a41cb76f1f54b
Opcode Fuzzy Hash: 41a308ea62ad423305384a139178c2c724e5fc66a4e744fd27a0d84fcf1a1883
Instruction Fuzzy Hash: 75F06576E051859FCF91CA748E053AD3F6CAB02204F2049DAC488CF107F135C985CB41

Function 0681AFC0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18200f6d720b8296204dae624cf09ddf50557ce2f80f93682828e9826ca6c7f
Instruction ID: cb46751c7adb7dc818ad35704dce19372ee6a81e950380ed4f409f5df3967abd
Opcode Fuzzy Hash: e18200f6d720b8296204dae624cf09ddf50557ce2f80f93682828e9826ca6c7f
Instruction Fuzzy Hash: 04E09A76E1022C9BDF2499A8D80559EBBADE785760F00043BEA1AEB200D971AC058391

Function 06816528 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fc362adf4e5e3a3f16794ea433264828d66b0af6c2fdbecd420a34b2fbd6aa
Instruction ID: f30a4ce42df3165a60cf85ace0d53791e498db43b142cfec3c2279ff78916531
Opcode Fuzzy Hash: 27fc362adf4e5e3a3f16794ea433264828d66b0af6c2fdbecd420a34b2fbd6aa
Instruction Fuzzy Hash: 36E0C271E10108ABDF50DEB4C90579E77ACEB02304F2088A4D508CF202F172CA828780

Non-executed Functions

Function 06817740 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06817CDC
$^q, xrefs: 06817C3D
$^q, xrefs: 068178B1
$^q, xrefs: 06817CF2
$^q, xrefs: 068178A5
$^q, xrefs: 06817CE6
$^q, xrefs: 06817880
$^q, xrefs: 06817C31
$^q, xrefs: 06817CD0
$^q, xrefs: 06817874

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: fc446f74d86bc87593a2bf641f1568091acb760802d38ebe6967711eac635c37
Instruction ID: a9411ee07c834b61a1f5a03c5e66137862bbffdcd3caf6f6a0bbc2596719f4e5
Opcode Fuzzy Hash: fc446f74d86bc87593a2bf641f1568091acb760802d38ebe6967711eac635c37
Instruction Fuzzy Hash: 64120D30E002198FDB68EF69C954AADB7B6BF84704F2085ADD509EB354DB309D85CF91

Function 0681A9D8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0681AB35
$^q, xrefs: 0681AB60
$^q, xrefs: 0681AB8A
$^q, xrefs: 0681AACE
$^q, xrefs: 0681AB54
$^q, xrefs: 0681AB29
$^q, xrefs: 0681AADA
$^q, xrefs: 0681AB96

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: cd9b656631921f4c2d9d5990989110467e06d05f64d39a7aa6a452b186f6b877
Instruction ID: 9199c2cc95932ba0c050a34b18aac2d5efdbbbef1e0d54e615d7448fd6439c94
Opcode Fuzzy Hash: cd9b656631921f4c2d9d5990989110467e06d05f64d39a7aa6a452b186f6b877
Instruction Fuzzy Hash: 50915A30A01209DFDB68EB69DA54B6EBBBABF84304F108529D401EB354DB759C85CB90

Function 06817140 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 068175DC
$^q, xrefs: 06817488
$^q, xrefs: 06817648
$^q, xrefs: 06817422
$^q, xrefs: 0681747C
$^q, xrefs: 06817654
.5vq, xrefs: 0681719B

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 39607706decb1c210a957d4568168d7dee33380d7f29713b6493e0f6d4f33917
Instruction ID: d5754dc99cb2807bb64b4d887e735398dc92977985dd294c0c0a81ea35876dbb
Opcode Fuzzy Hash: 39607706decb1c210a957d4568168d7dee33380d7f29713b6493e0f6d4f33917
Instruction Fuzzy Hash: 35F13B30A00208CFDB58EF69C594A6EB7B7FF84345F208569D4159B368DB31EC8ACB91

Function 06818478 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06818743
$^q, xrefs: 068186D2
$^q, xrefs: 06818737
$^q, xrefs: 068186DE

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2c8368f3676aed10e306f13f8eafef78119518c3fe239d422df14336a5ea3dcf
Instruction ID: b7b2fbbe6104890df729b33ab9ae3da34be680d497fca3f21da1b2f6ac2abade
Opcode Fuzzy Hash: 2c8368f3676aed10e306f13f8eafef78119518c3fe239d422df14336a5ea3dcf
Instruction Fuzzy Hash: CFB14970E00208CFDB64EB68D9956AEB7B6FF88301F248969D406DB354DB74DC86CB91

Function 0681AD63 Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

$^q, xrefs: 0681AF13
$^q, xrefs: 0681AEE4
$^q, xrefs: 0681AE91
$^q, xrefs: 0681AF3C

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 68eb4dd7d9faf6398281745f6298b45971df81066c07f09674109e4e735a66cf
Instruction ID: 9574547e5961e5e105b57c229aa05fb7bfc59ef0e13418fd2fd976ddcb6dc2a7
Opcode Fuzzy Hash: 68eb4dd7d9faf6398281745f6298b45971df81066c07f09674109e4e735a66cf
Instruction Fuzzy Hash: 3851A270E112088FDF69DB68D980AAEB7BAEF84311F108529D916DF354DB31DC45CB91

Function 06818890 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06818983
$^q, xrefs: 0681890F
$^q, xrefs: 0681891B
LR^q, xrefs: 068189D2

Memory Dump Source

Source File: 00000003.00000002.2878593387.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6810000_RegAsm.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 51fe8b6c317b15d618ad3106a130d15933f831ecb724a5531a1f7e6b8ee8ee3e
Instruction ID: 5ee097d2bca335cc7b30544d567c6954f9e28c96061a22296f971953a6e7b3f6
Opcode Fuzzy Hash: 51fe8b6c317b15d618ad3106a130d15933f831ecb724a5531a1f7e6b8ee8ee3e
Instruction Fuzzy Hash: 5551A270B002058FDB54EB28D951A6EB7EAFF89704F108569D506DF3A4DB30EC45CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rQuotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rQuotation.exe_e4f27283d01878559fa8842b7cf5abf4516a719_5a22651d_971fdfdb-35fe-474f-9556-a675ed73134a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12E6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1316.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF7.tmp.dmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
rQuotation.exe

Function 00007FFD9B89AB20 Relevance: 2.2, Strings: 1, Instructions: 931
COMMON

Function 00007FFD9B89CB84 Relevance: 2.0, Strings: 1, Instructions: 746
COMMON

Function 00007FFD9B895D85 Relevance: 1.6, Strings: 1, Instructions: 347
COMMON

Function 00007FFD9B89497A Relevance: 1.6, APIs: 1, Instructions: 139
memoryCOMMON

Function 00007FFD9B890DA5 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Function 06817E20 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Function 0681AD70 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Function 06793893 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 06793898 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre